Re: [pcre-dev] CVE-2017-11164 fixed?

Top Page

Reply to this message
Author: Petr Pisar
To: pcre-dev
Subject: Re: [pcre-dev] CVE-2017-11164 fixed?
On Mon, Aug 03, 2020 at 11:16:40AM +0200, Thomas Klausner via Pcre-dev wrote:
> Hi!
> In 2017 there was a CVE assigned against pcre 8.41:
> > In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c
> > allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
> I read the Changelogs and the commit messages for the file mentioned,
> but I couldn't clearly see if this is fixed or not. Does someone know?

A stack exhaustion in PCRE that uses a recursion-based algorithm is not a bug
and it was not fixed in any way. Please read pcrestack(3) manual page for more
details includnig possible mitigations.

-- Petr