[pcre-dev] Deciphering CVE-2007-1660; UTF-8 required?

Page principale
Supprimer ce message
Auteur: Eric Covener
Date:  
À: pcre-dev
Sujet: [pcre-dev] Deciphering CVE-2007-1660; UTF-8 required?
I'm trying to assess the impact of some already addressed PCRE bugs in
a software project that uses a bundled copy of older (3.x, 5.x)
releases. Fortunately, we don't compile expressions interpolated with
user input so many of the problems are mitigated.

One in particular that I'm having trouble getting my head around is
CVE-2007-1660:
Perl-Compatible Regular Expression (PCRE) library before 7.3 does not
properly calculate sizes for unspecified "multiple forms of character
class", which triggers a buffer overflow that allows context-dependent
attackers to cause a denial of service (crash) and possibly execute
arbitrary code.

I've tried to reconcile the description, changelog, and testdata but
I'm having trouble identifying what types of expressions this applies
to. Is it a UTF-8 only issue by any chance?

Any hints? Thanks,

--
Eric Covener
covener@???