[pcre-dev] [Bug 1767] PCRE Library Heap Overflow Vulnerabili…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1767] PCRE Library Heap Overflow Vulnerability
https://bugs.exim.org/show_bug.cgi?id=1767

--- Comment #1 from Philip Hazel <ph10@???> ---
A number of bugs of this type have recently been discovered by fuzzers creating
weird patterns that are unlikely to be made by humans. These bugs showed up an
area of code in PCRE1 (the 8.xx series) that, over the years of adding
features, had become very sensitive. For this reason, the way that named
subgroups are recognized and handled has been completely re-written for PCRE2
(the 10.xx series). Your pattern does not cause a crash in PCRE2. The next
PCRE2 release (10.21) will happen some time this month.

PCRE2 has now been around for a year. I would like to encourage those who use
PCRE to consider moving from PCRE1 to PCRE2, because it has had a lot of
testing by fuzzers and other auditing methods, and is therefore less likely to
be vulnerable to these kinds of bug.

The latest PCRE1 release (8.38) came out in November, so there will not be
another one for some months. I will take a look at your pattern in detail in
due course to see if there is an easy hack to bypass it, such as always
allocating extra memory.

--
You are receiving this mail because:
You are on the CC list for the bug.