Re: [pcre-dev] CVE-2017-11164 fixed?

Top Page

Reply to this message
Author: Petr Pisar
Date:  
To: pcre-dev
Subject: Re: [pcre-dev] CVE-2017-11164 fixed?
On Mon, Aug 03, 2020 at 11:16:40AM +0200, Thomas Klausner via Pcre-dev wrote:
> Hi!
>
> In 2017 there was a CVE assigned against pcre 8.41:
>
> https://www.openwall.com/lists/oss-security/2017/07/11/3
>
> > In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c
> > allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
>
> I read the Changelogs and the commit messages for the file mentioned,
> but I couldn't clearly see if this is fixed or not. Does someone know?


A stack exhaustion in PCRE that uses a recursion-based algorithm is not a bug
and it was not fixed in any way. Please read pcrestack(3) manual page for more
details includnig possible mitigations.

-- Petr