Re: [pcre-dev] Press inquiry -- PCRE

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Mrobert_mcmillan at <-
M 
Delete this message
Author: Nuno Lopes
Date:  
To: robert_mcmillan
CC: pcre-dev
Subject: Re: [pcre-dev] Press inquiry -- PCRE
> Thanks for getting back to me. If I quote you, what's the best way to
> describe your affiliation with PCRE? A developer who paticipates on the
> PCRE development discussion list?

It's ok, yes.

> ONe thing I"m wondering if you can confirm for me? Chris Evans said he had
> discovered this bug http://scary.beasts.org/security/CESA-2007-006.html,
> item #3
>
> and reported this to you guys. He said that it was addressed in 6.7, but
> that the fix wasn't quite complete. Eventually I think it was patched in
> 7.3.

Well, those e-mails were probably exchanged privately between him and the
PCRE author, because of the security sensivetiness.
But take a look at
http://vcs.pcre.org/viewvc/code/trunk/pcre_compile.c?view=log, to revision
202 and 93 and make your own conclusions.
Anyway, as I said previously, it seems the webkit regex library is a fork
from PCRE 6.5.


> Just wanted to make sure I had that right and that someone who had looked
> at 6.7 could have identified the bug (if not how to exploit)

I would say that making exploits by looking at the diffs is common practice
these days. People even look at the changes made by Microsoft to some DLLs,
so looking to diffs of code is even easier.. (and there also exists some
tools in academia that find input automatically to reach a certain program
state. This is impossible in the general case, but often works).

Nuno


> Bob
>
> Robert McMillan
> Senior Writer, IDG News Service
> 501 Second Street, Suite 120
> San Francisco, CA 94107
> 415 974-7470
>
> The News Service distributes exclusive news, features, videos, photos and
> podcasts to Computerworld, CIO, NetworkWorld, PC World, Macworld and
> Infoworld – technology publications and web sites that account for more
> than 300 titles circulated in more than 85 countries. On the Web, our
> stories are published by the New York Times, the Washington Post and ABC
> News.
>
> "Nuno Lopes" <nunoplopes@???> wrote on 04/21/2008 02:11:27 PM:
>
>> Hi,
>>
>> I'm not a PCRE developer. Actually Philip Hazel is the sole developer,
>> although a few others also contribute patches.
>> Looking at the webkit commit that fixes the bug
>> (http://trac.webkit.org/projects/webkit/changeset/31388), it seems they
>> bundle a modified PCRE library to suit their needs. As far as I can tell,
>
>> it's a fork from PCRE 6.5.
>> So the guy that discovered that flaw could have read the PCRE changelog
> and
>> by reading the diffs is trivial to know where the bug is. Exploiting is a
>
>> different business (far from being trivial).
>>
>> So, was the flaw known? Well, yes and no. It was known to exist in PCRE,
> but
>> it seems noone remembered to check the webkit's PCRE library. And maybe
>> there are other bugs that were already fixed and PCRE and remain unfixed
> in
>> thew webkit tree. But no one knows. (if fact, this a common mistake that
>> many projects that bundle other libraries do. I work in a big project
> that
>> have also forgot to upgrade PCRE sometimes in the past).
>>
>> Regards,
>> Nuno
>>
>>
>> ----- Original Message -----
>> From: <robert_mcmillan@???>
>> To: <pcre-dev@???>
>> Sent: Monday, April 21, 2008 6:11 PM
>> Subject: [pcre-dev] Press inquiry -- PCRE
>>
>>
>> >
>> > Hi there,
>> >
>> > I'm a reporter working on a story about that Safari PWN2OWN bug
>> > (http://www.infoworld.com/article/08/04/16/Apple-patches-prize-
>> winning-bug_1.html)
>> > that Apple patched last week and its relationship to PCRE and (in
>> > particular) to item #3 here.
>> >
>> > http://scary.beasts.org/security/CESA-2007-006.html
>> >
>> > Is there anyone on the dev team who knows about this and could perhaps
>> > help
>> > me understand the facts here, because it looks like you guys had
> patched
>> > this bug before WebKit and that someone could have found this "zero
> day"
>> > flaw from looking at your changelogs.
>> >
>> > If anyone could help me out, either via telephone or email, I'd really
>> > appreciate it.
>> >
>> > Cheers,
>> >
>> > Bob
>> >
>> >
>> > Robert McMillan
>> > Senior Writer, IDG News Service
>> > 501 Second Street, Suite 120
>> > San Francisco, CA 94107
>> > 415 974-7470
>> >
>> > The News Service distributes exclusive news, features, videos, photos
> and
>> > podcasts to Computerworld, CIO, NetworkWorld, PC World, Macworld and
>> > Infoworld – technology publications and web sites that account for more
>> > than 300 titles circulated in more than 85 countries. On the Web, our
>> > stories are published by the New York Times, the Washington Post and
> ABC
>> > News.
>> > --
>> > ## List details at http://lists.exim.org/mailman/listinfo/pcre-dev


This message was posted to the following mailing lists:
Pcre-dev
Mailing List Info | Nearby Messages		<-[pcre-dev] [Bug 698] ncurses library not added when linking pcretest[pcre-dev] regarding use regcomp/regexec on multiple strings->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)