Re: [pcre-dev] Press inquiry -- PCRE

Top Page
Delete this message
Author: Nuno Lopes
Date:  
To: pcre-dev, robert_mcmillan
Subject: Re: [pcre-dev] Press inquiry -- PCRE
Hi,

I'm not a PCRE developer. Actually Philip Hazel is the sole developer,
although a few others also contribute patches.
Looking at the webkit commit that fixes the bug
(http://trac.webkit.org/projects/webkit/changeset/31388), it seems they
bundle a modified PCRE library to suit their needs. As far as I can tell,
it's a fork from PCRE 6.5.
So the guy that discovered that flaw could have read the PCRE changelog and
by reading the diffs is trivial to know where the bug is. Exploiting is a
different business (far from being trivial).

So, was the flaw known? Well, yes and no. It was known to exist in PCRE, but
it seems noone remembered to check the webkit's PCRE library. And maybe
there are other bugs that were already fixed and PCRE and remain unfixed in
thew webkit tree. But no one knows. (if fact, this a common mistake that
many projects that bundle other libraries do. I work in a big project that
have also forgot to upgrade PCRE sometimes in the past).

Regards,
Nuno


----- Original Message -----
From: <robert_mcmillan@???>
To: <pcre-dev@???>
Sent: Monday, April 21, 2008 6:11 PM
Subject: [pcre-dev] Press inquiry -- PCRE


>
> Hi there,
>
> I'm a reporter working on a story about that Safari PWN2OWN bug
> (http://www.infoworld.com/article/08/04/16/Apple-patches-prize-winning-bug_1.html)
> that Apple patched last week and its relationship to PCRE and (in
> particular) to item #3 here.
>
> http://scary.beasts.org/security/CESA-2007-006.html
>
> Is there anyone on the dev team who knows about this and could perhaps
> help
> me understand the facts here, because it looks like you guys had patched
> this bug before WebKit and that someone could have found this "zero day"
> flaw from looking at your changelogs.
>
> If anyone could help me out, either via telephone or email, I'd really
> appreciate it.
>
> Cheers,
>
> Bob
>
>
> Robert McMillan
> Senior Writer, IDG News Service
> 501 Second Street, Suite 120
> San Francisco, CA 94107
> 415 974-7470
>
> The News Service distributes exclusive news, features, videos, photos and
> podcasts to Computerworld, CIO, NetworkWorld, PC World, Macworld and
> Infoworld – technology publications and web sites that account for more
> than 300 titles circulated in more than 85 countries. On the Web, our
> stories are published by the New York Times, the Washington Post and ABC
> News.
> --
> ## List details at http://lists.exim.org/mailman/listinfo/pcre-dev