[pcre-dev] Deciphering CVE-2007-1660; UTF-8 required?

Inizio della pagina
Questo messaggio è parte di questo thread:
Mil thread completo ordinato per data
M 
Philip Hazel at ->
Delete this message
Autore: Eric Covener
Data:  
To: pcre-dev
Oggetto: [pcre-dev] Deciphering CVE-2007-1660; UTF-8 required?
I'm trying to assess the impact of some already addressed PCRE bugs in
a software project that uses a bundled copy of older (3.x, 5.x)
releases. Fortunately, we don't compile expressions interpolated with
user input so many of the problems are mitigated.

One in particular that I'm having trouble getting my head around is
CVE-2007-1660:
Perl-Compatible Regular Expression (PCRE) library before 7.3 does not
properly calculate sizes for unspecified "multiple forms of character
class", which triggers a buffer overflow that allows context-dependent
attackers to cause a denial of service (crash) and possibly execute
arbitrary code.

I've tried to reconcile the description, changelog, and testdata but
I'm having trouble identifying what types of expressions this applies
to. Is it a UTF-8 only issue by any chance?

Any hints? Thanks,

--
Eric Covener
covener@???

Questo messaggio è stato inviato alle seguenti mailing lists:
Pcre-dev
Informazioni sulla Mailing List | Messaggi correlati		<-[pcre-dev] PCRE 7.6 Threading suggestion[pcre-dev] updating the svn 'tags' tree->
Tahini and Hummus and Cumin Development Archives amministrato da cumin AdminsLurker (versione 2.3)