Author: Petr Pisar Date: To: pcre-dev Subject: Re: [pcre-dev] CVE-2017-11164 fixed?
On Mon, Aug 03, 2020 at 11:16:40AM +0200, Thomas Klausner via Pcre-dev wrote: > Hi!
> In 2017 there was a CVE assigned against pcre 8.41:
> https://www.openwall.com/lists/oss-security/2017/07/11/3 >
> > In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c
> > allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
> I read the Changelogs and the commit messages for the file mentioned,
> but I couldn't clearly see if this is fixed or not. Does someone know?
A stack exhaustion in PCRE that uses a recursion-based algorithm is not a bug
and it was not fixed in any way. Please read pcrestack(3) manual page for more
details includnig possible mitigations.
This message was posted to the following mailing lists: