On Mon, 11 Feb 2008, Eric Covener wrote:
> One in particular that I'm having trouble getting my head around is
> CVE-2007-1660:
> Perl-Compatible Regular Expression (PCRE) library before 7.3 does not
> properly calculate sizes for unspecified "multiple forms of character
> class", which triggers a buffer overflow that allows context-dependent
> attackers to cause a denial of service (crash) and possibly execute
> arbitrary code.
>
> I've tried to reconcile the description, changelog, and testdata but
> I'm having trouble identifying what types of expressions this applies
> to. Is it a UTF-8 only issue by any chance?
I'm afraid that after 6 months, my memory gets wiped :-) and I can't
remember which of the ChangeLog items for 7.3 applies to this. I suppose
it could be
11. Because Perl interprets \Q...\E at a high level, and ignores orphan \E
instances, patterns such as [\Q\E] or [\E] or even [^\E] cause an error,
because the ] is interpreted as the first data character and the
terminating ] is not found. PCRE has been made compatible with Perl in this
regard. Previously, it interpreted [\Q\E] as an empty class, and [\E] could
cause memory overwriting.
or it could be
18. An unterminated class in a pattern like (?1)\c[ with a "forward reference"
caused an overrun.
but I'm afraid I can't be more explicit.
Philip
--
Philip Hazel
