[pcre-dev] Deciphering CVE-2007-1660; UTF-8 required?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Philip Hazel at ->
Delete this message
Author: Eric Covener
Date:  
To: pcre-dev
Subject: [pcre-dev] Deciphering CVE-2007-1660; UTF-8 required?
I'm trying to assess the impact of some already addressed PCRE bugs in
a software project that uses a bundled copy of older (3.x, 5.x)
releases. Fortunately, we don't compile expressions interpolated with
user input so many of the problems are mitigated.

One in particular that I'm having trouble getting my head around is
CVE-2007-1660:
Perl-Compatible Regular Expression (PCRE) library before 7.3 does not
properly calculate sizes for unspecified "multiple forms of character
class", which triggers a buffer overflow that allows context-dependent
attackers to cause a denial of service (crash) and possibly execute
arbitrary code.

I've tried to reconcile the description, changelog, and testdata but
I'm having trouble identifying what types of expressions this applies
to. Is it a UTF-8 only issue by any chance?

Any hints? Thanks,

--
Eric Covener
covener@???

This message was posted to the following mailing lists:
Pcre-dev
Mailing List Info | Nearby Messages		<-[pcre-dev] PCRE 7.6 Threading suggestion[pcre-dev] updating the svn 'tags' tree->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)