Bug 1170036 - (CVE-2020-11958) VUL-1: CVE-2020-11958: re2c: heap overflow in Scanner:fill (scanner.cc)
(CVE-2020-11958)
VUL-1: CVE-2020-11958: re2c: heap overflow in Scanner:fill (scanner.cc)
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P4 - Low : Normal (vote)
: Current
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/258062/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-21 08:52 UTC by Alexandros Toptsoglou
Modified: 2021-03-26 20:57 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-04-21 08:52:52 UTC
through oss 

Description:
re2c is a tool for generating C-based recognizers from regular expressions.

There is an heap overflow reproducible with a crafted file.

~ $ re2c -o /tmp/out $FILE
=================================================================
==43995==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x629000004212 at pc 0x00000049937f bp 0x7ffc0521bc00 sp 0x7ffc0521b3c8
WRITE of size 18 at 0x629000004212 thread T0
    #0 0x49937e in __asan_memset /var/tmp/portage/sys-libs/compiler-rt-
sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/
asan_interceptors_memintrinsics.cc:26:3
    #1 0x67a291 in re2c::Scanner::fill(unsigned long) /var/tmp/portage/dev-
util/re2c-1.3/work/re2c-1.3/src/parse/scanner.cc:167:9
    #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) /var/tmp/portage/dev-
util/re2c-1.3/work/re2c-1.3/src/parse/lex.cc:94:33
    #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) /
var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/compile.cc:148:41
    #4 0x4cc668 in main /var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/
main.cc:33:5
    #5 0x7f26392c9dca in __libc_start_main /var/tmp/portage/sys-libs/
glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16
    #6 0x421d39  (/usr/bin/re2c+0x421d39)

0x629000004212 is located 0 bytes to the right of 16402-byte region 
[0x629000000200,0x629000004212)
allocated by thread T0 here:
    #0 0x4c949d in operator new[](unsigned long) /var/tmp/portage/sys-libs/
compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/
asan_new_delete.cc:102:3
    #1 0x67a0f2 in re2c::Scanner::fill(unsigned long) /var/tmp/portage/dev-
util/re2c-1.3/work/re2c-1.3/src/parse/scanner.cc:154:22
    #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) /var/tmp/portage/dev-
util/re2c-1.3/work/re2c-1.3/src/parse/lex.cc:94:33
    #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) /
var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/compile.cc:148:41
    #4 0x4cc668 in main /var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/
main.cc:33:5
    #5 0x7f26392c9dca in __libc_start_main /var/tmp/portage/sys-libs/
glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-libs/
compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/
asan_interceptors_memintrinsics.cc:26:3 in __asan_memset

Affected version:
1.3

Fixed version:
Will be 2.0

Commit fix:
https://github.com/skvadrik/re2c/commit/
c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a

Credit:
This bug was discovered by Agostino Sarubbo.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11958
http://seclists.org/oss-sec/2020/q2/43
http://blogs.gentoo.org/ago/2020/04/19/re2c-heap-overflow-in-scannerfill-scanner-cc/
Comment 1 Alexandros Toptsoglou 2020-04-21 08:54:43 UTC
Tracking Factory as affected. Please upgrade when a newer version is available. The issue seems to have been introduced in version 1.2. SLE seems not affected, since we ship older versions.
Comment 2 Kristyna Streitova 2021-03-26 20:57:36 UTC
We have re2c 2.0.3 in openSUSE:Factory now so it's been fixed there. I'm reassigning it back to the security team.