Re: [pcre-dev] CVE-2008-2371

Top Page
Delete this message
Author: Nuno Lopes
Date:  
To: Venu Alatzeth, pcre-dev
Subject: Re: [pcre-dev] CVE-2008-2371
Hi,

While it may not (I haven't checked, but probably not), PCRE < 7 also have
their security bugs. That's one of the reasons that made the author refactor
that piece code (along with maintenance issues).
So, my advise is to upgrade.

Nuno


----- Original Message -----
From: "Venu Alatzeth" <alatzeth@???>
To: <pcre-dev@???>
Sent: Tuesday, July 08, 2008 12:21 AM
Subject: [pcre-dev] CVE-2008-2371


> Hello,
> Our software uses libpcre 5.0 version. Given that the pcre_compile() was
> refactored in version 7.0, could you advise if PCRE Regular Expression
> Heap
> Based Buffer Overflow Vulnerability affects versions prior to 7.0 alos?
>
> Thanks,
> Venu A
>
>
> Version 7.0 19-Dec-06 --------------------- ...
>
> 17. I have done a major re-factoring of the way pcre_compile() computes 
> the
>    amount of memory needed for a compiled pattern. Previously, there was 
> code
>    that made a preliminary scan of the pattern in order to do this. That 
> was
>    OK when PCRE was new, but as the facilities have expanded, it has 
> become
>    harder and harder to keep it in step with the real compile phase, and 
> there
>    have been a number of bugs (see for example, 4 above). I have now found 
> a
>    cunning way of running the real compile function in a "fake" mode that
>    enables it to compute how much memory it would need, while actually 
> only
>    ever using a few hundred bytes of working memory and without too many
>    tests of the mode. This should make future maintenance and development
>    easier. A side effect of this work is that the limit of 200 on the 
> nesting
>    depth of parentheses has been removed (though this was never a serious
>    limitation, I suspect). However, there is a downside: pcre_compile() 
> now
>    runs more slowly than before (30% or more, depending on the pattern). I
>    hope this isn't a big issue. There is no effect on runtime performance.

>
>
>
> PCRE Regular Expression Heap Based Buffer Overflow Vulnerability
>
> Bugtraq ID: 30087 Class: Design Error CVE: CVE-2008-2371
> Remote: Yes Local: No Published: Jul 01 2008 12:00AM Updated: Jul 07
> 2008 03:39PM Credit: Tavis Ormandy Vulnerable: S.u.S.E. openSUSE 10.3
> RedHat Fedora 9 0
> RedHat Fedora 8 0
> PCRE PCRE 7.7
> GNOME glib 2.16.3
> Debian Linux 4.0 sparc
> Debian Linux 4.0 s/390
> Debian Linux 4.0 powerpc
> Debian Linux 4.0 mipsel
> Debian Linux 4.0 mips
> Debian Linux 4.0 m68k
> Debian Linux 4.0 ia-64
> Debian Linux 4.0 ia-32
> Debian Linux 4.0 hppa
> Debian Linux 4.0 arm
> Debian Linux 4.0 amd64
> Debian Linux 4.0 alpha
> Debian Linux 4.0
>
> Not Vulnerable: GNOME glib 2.16.4
> --
> ## List details at http://lists.exim.org/mailman/listinfo/pcre-dev