Hi Nuno,
Thanks for getting back to me. If I quote you, what's the best way to
describe your affiliation with PCRE? A developer who paticipates on the
PCRE development discussion list?
ONe thing I"m wondering if you can confirm for me? Chris Evans said he had
discovered this bug
http://scary.beasts.org/security/CESA-2007-006.html,
item #3
and reported this to you guys. He said that it was addressed in 6.7, but
that the fix wasn't quite complete. Eventually I think it was patched in
7.3.
Just wanted to make sure I had that right and that someone who had looked
at 6.7 could have identified the bug (if not how to exploit)
Bob
Robert McMillan
Senior Writer, IDG News Service
501 Second Street, Suite 120
San Francisco, CA 94107
415 974-7470
The News Service distributes exclusive news, features, videos, photos and
podcasts to Computerworld, CIO, NetworkWorld, PC World, Macworld and
Infoworld – technology publications and web sites that account for more
than 300 titles circulated in more than 85 countries. On the Web, our
stories are published by the New York Times, the Washington Post and ABC
News.
"Nuno Lopes" <nunoplopes@???> wrote on 04/21/2008 02:11:27 PM:
> Hi,
>
> I'm not a PCRE developer. Actually Philip Hazel is the sole developer,
> although a few others also contribute patches.
> Looking at the webkit commit that fixes the bug
> (http://trac.webkit.org/projects/webkit/changeset/31388), it seems they
> bundle a modified PCRE library to suit their needs. As far as I can tell,
> it's a fork from PCRE 6.5.
> So the guy that discovered that flaw could have read the PCRE changelog
and
> by reading the diffs is trivial to know where the bug is. Exploiting is a
> different business (far from being trivial).
>
> So, was the flaw known? Well, yes and no. It was known to exist in PCRE,
but
> it seems noone remembered to check the webkit's PCRE library. And maybe
> there are other bugs that were already fixed and PCRE and remain unfixed
in
> thew webkit tree. But no one knows. (if fact, this a common mistake that
> many projects that bundle other libraries do. I work in a big project
that
> have also forgot to upgrade PCRE sometimes in the past).
>
> Regards,
> Nuno
>
>
> ----- Original Message -----
> From: <robert_mcmillan@???>
> To: <pcre-dev@???>
> Sent: Monday, April 21, 2008 6:11 PM
> Subject: [pcre-dev] Press inquiry -- PCRE
>
>
> >
> > Hi there,
> >
> > I'm a reporter working on a story about that Safari PWN2OWN bug
> > (http://www.infoworld.com/article/08/04/16/Apple-patches-prize-
> winning-bug_1.html)
> > that Apple patched last week and its relationship to PCRE and (in
> > particular) to item #3 here.
> >
> > http://scary.beasts.org/security/CESA-2007-006.html
> >
> > Is there anyone on the dev team who knows about this and could perhaps
> > help
> > me understand the facts here, because it looks like you guys had
patched
> > this bug before WebKit and that someone could have found this "zero
day"
> > flaw from looking at your changelogs.
> >
> > If anyone could help me out, either via telephone or email, I'd really
> > appreciate it.
> >
> > Cheers,
> >
> > Bob
> >
> >
> > Robert McMillan
> > Senior Writer, IDG News Service
> > 501 Second Street, Suite 120
> > San Francisco, CA 94107
> > 415 974-7470
> >
> > The News Service distributes exclusive news, features, videos, photos
and
> > podcasts to Computerworld, CIO, NetworkWorld, PC World, Macworld and
> > Infoworld – technology publications and web sites that account for more
> > than 300 titles circulated in more than 85 countries. On the Web, our
> > stories are published by the New York Times, the Washington Post and
ABC
> > News.
> > --
> > ## List details at http://lists.exim.org/mailman/listinfo/pcre-dev
>
