Re: [exim-dev] PCRE vulnerability

Góra strony
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
Dla: Tony Finch
CC: exim-dev, Jakob Hirsch
Temat: Re: [exim-dev] PCRE vulnerability
On Mon, 22 Aug 2005, Tony Finch wrote:

> On Mon, 22 Aug 2005, Jakob Hirsch wrote:
> >
> > According to the alert, only "Applications that parse untrusted regular
> > expressions may be vulnerable." Exim does not do that by default, AFAIK,
> > but there may be a few setups allowing that, e.g. user specified filters
> > with regex.
>
> This can be a problem in setups where Exim runs filters at SMTP time while
> it is running as the exim user, which might allow escalation to root
> privilege. That's the only really dangerous scenario I can think of.


The bug was fixed in PCRE 6.2, which is in the current Exim snapshot.
The current PCRE release is 6.3, but there are no code changes from 6.2
(just changes to Makefiles, etc). The PCRE ChangeLog for 6.2 reads:

 1. There was no test for integer overflow of quantifier values. A
    construction such as {1111111111111111} would give undefined
    results. What is worse, if a minimum quantifier for a parenthesized
    subpattern overflowed and became negative, the calculation of the
    memory size went wrong. This could have led to memory overwriting.


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book