Mailing List Archive

[Bug 259] Allow filter "logwrite" to write to syslog
https://bugs.exim.org/show_bug.cgi?id=259

meweg65552 <meweg65552@unigeol.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |meweg65552@unigeol.com

--- Comment #3 from meweg65552 <meweg65552@unigeol.com> ---
(In reply to Philip Hazel from comment #0)
> (This item was imported from the WishList file, item 4/189.)
>
> I feel this is a dangerous facility, and also of very minority interest, at
> least for user's filters. Allowing a system filter to write to mainlog or
> syslog may be different. However, writing the main log would only be possible
> if the filter runs as root or exim.

The latest version of PCRE (pcre2-10.34-RC1, pcre2-10.33) is prone to a stack
http://www.sprite-ideas.com/
overflow vulnerability in internal_dfa_match() (pcre2_dfa_match.c) which can be
triggered using a crafted regular expression. Upon execution of the crafted
regular expression, the function internal_dfa_match() calls itself recursively,
resulting into uncontrolled recursion. It exceeds the stack size limit (8 MB),
finally resulting into stack exhaustion. An attacker can potentially exploit
this issue to perform remote code execution or denial of service attack.

=====================
Output of ASAN compiled library (-fsanitize=address)

Run as: ./pcre2test sbovf-input (attached herewith)
http://www.componentanalysis.org/

--------------------
ASAN:DEADLYSIGNAL

==17245==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7feff8 (pc
0x5555555afcc7 bp 0x7fffff7ff4b0 sp 0x7fffff7fefe0 T0)
#0 0x5555555afcc6 in internal_dfa_match src/pcre2_dfa_match.c:2859
#1 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#2 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.environmentaleducationnews.com/
#3 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#4 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#5 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#6 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#7 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://toscanoandsonsblog.com/
#8 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#9 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#10 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
...
<skipped>
...
#240 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#241 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.mic-sound.net/
#242 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#243 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#244 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.craftpatternwarehouse.com/
#245 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#246 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#247 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#248 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#249 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
#250 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871



SUMMARY: AddressSanitizer: stack-overflow src/pcre2_dfa_match.c:2859 in
internal_dfa_match http://www.slipstone.co.uk/
==17245==ABORTING

====================
With gdb
--------------------
$ gdb ./pcre2test http://www.bigeasydesarucoast.com/

(gdb) r sbovf-input
Program received signal SIGSEGV, Segmentation fault.
0x00005555555aaab4 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210",
current_subject=current_subject@entry=0x629000002eb1 '\200' <repeats 200
times>..., http://matslideborg.com/
start_offset=start_offset@entry=6522, offsets=offsets@entry=0x7fffec780030,
offsetcount=offsetcount@entry=1000, https://www.hr-itconsulting.tech/

http://www.izidil.com/ workspace=0x7fffec781f70, wscount=1000,
rlevel=6522, RWS=0x7fffeb8c5800) at src/pcre2_dfa_match.c:533
http://padreislandtv.com/




The latest version of PCRE (pcre2-10.34-RC1, pcre2-10.33) is prone to a stack
overflow vulnerability http://www.dontfuckwiththeearth.com/ in
internal_dfa_match()
(pcre2_dfa_match.c) which can be triggered using a crafted regular expression.
Upon execution of the crafted regular expression, the function
internal_dfa_match() http://openbsdvps.net/ calls itself recursively,
resulting into uncontrolled recursion. http://www.artofcharlesgriffith.com/It
exceeds the stack size limit (8 MB),
finally resulting into stack exhaustion. An attacker can potentially exploit
this issue to perform http://www.griintravel.com/ remote code execution or
denial
of service attack.

SOURCE
http://www.lanavebruja.com/
http://www.nzhorses.co.nz/
http://www.heurisko.co.nz/
http://www.totalregistrations.co/
https://www.waterspumpingservices.co.nz
http://fb.tiranna.org/
http://fb.tiranna.org/essences.html
http://www.laikadesign.net/

--
You are receiving this mail because:
You are the QA Contact for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 259] Allow filter "logwrite" to write to syslog [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=259

german <germanjennifery@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |germanjennifery@gmail.com

--- Comment #4 from german <germanjennifery@gmail.com> ---
https://naturomac.com/ http://historiccourthouse.org/
https://historiccourthouse.org/ https://www.akirachka.com/
http://www.akirachka.com/ https://www.maison-snowwhite.com/
http://www.maison-snowwhite.com/ http://akirachka.com/
http://maison-snowwhite.com

--
You are receiving this mail because:
You are the QA Contact for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 259] Allow filter "logwrite" to write to syslog [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=259

Heiko Schlittermann <hs@schlittermann.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |hs@schlittermann.de

--
You are receiving this mail because:
You are the QA Contact for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 259] Allow filter "logwrite" to write to syslog [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=259

Simon Arlott <bugzilla.exim.simon@arlott.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
URL|http://naturomac.com/ |

--
You are receiving this mail because:
You are the QA Contact for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##