On Wed, 12 Dec 2007, Qiang_Xu@??? wrote:
> It's reported the PCRE vulnerabilities
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660
> And it has been fixed in version 7.4 and later , we are investigating
> the impact to our product which is using the PCRE library ,but
> I failed to find corresponding bugid from bugzilla system .
> So could you kindly let me the technical detail about this fix .
I think it must have been this fix:
11. Because Perl interprets \Q...\E at a high level, and ignores orphan \E
instances, patterns such as [\Q\E] or [\E] or even [^\E] cause an error,
because the ] is interpreted as the first data character and the
terminating ] is not found. PCRE has been made compatible with Perl in this
regard. Previously, it interpreted [\Q\E] as an empty class, and [\E] could
cause memory overwriting.
This information comes from the ChangeLog file in the PCRE distribution.
Philip
--
Philip Hazel
