Re: [pcre-dev] Fixed bug about CVE-2007-1660

Page principale
Supprimer ce message
Auteur: Philip Hazel
Date:  
À: Qiang_Xu
CC: pcre-dev
Sujet: Re: [pcre-dev] Fixed bug about CVE-2007-1660
On Wed, 12 Dec 2007, Qiang_Xu@??? wrote:

> It's reported the PCRE vulnerabilities
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660


> And it has been fixed in version 7.4 and later , we are investigating
> the impact to our product which is using the PCRE library ,but


> I failed to find corresponding bugid from bugzilla system .


> So could you kindly let me the technical detail about this fix .


I think it must have been this fix:

11. Because Perl interprets \Q...\E at a high level, and ignores orphan \E
    instances, patterns such as [\Q\E] or [\E] or even [^\E] cause an error,
    because the ] is interpreted as the first data character and the
    terminating ] is not found. PCRE has been made compatible with Perl in this
    regard. Previously, it interpreted [\Q\E] as an empty class, and [\E] could
    cause memory overwriting.


This information comes from the ChangeLog file in the PCRE distribution.

Philip

--
Philip Hazel