[pcre-dev] [Bug 2778] pchars (pcretest.c:2045) in PCRE8.45 c…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 2778] pchars (pcretest.c:2045) in PCRE8.45 can cause heap-buffer-overflow.
https://bugs.exim.org/show_bug.cgi?id=2778

--- Comment #3 from Giuseppe D'Angelo <dangelog@???> ---
1) PCRE 8 has reached EOL, so no bugs against it will be fixed. Please always
test the *latest* PCRE2 10.XX.

2) pcretest is not a tool an attacker can use, it's an internal tool for PCRE's
own testing. It's OK to point out to a bug inside PCRE by providing an input to
pcretest ("if you run this regexp on this input => this bad thing happens").
It's even OK to point out at a bug inside pcretest itself ("if you run it on
this input it crashes"). It's NOT OK to claim a possible security issue, like a
heap overflow, if this is happening inside pcretest itself. As I said, it's not
a security sensitive application.

3) This is clearly a duplicate of PR 2052 and as mention of CVE-2017-7186
shows. Why are you opening bug reports for very old vulnerabilities? Are you
running PCRE under a fuzzer + ASAN in order to look for security isues? Is it
to test some new fuzzing technology? If so, you should build a minimal C
application and stress-test the API (pcre_compile, pcre_exec and so on); *not*
pcretest.

You can of course test pcretest, but the any bug you find has to be
appropriately targeted -- did you find a bug in the API, which *is* a security
issue, or did you find a bug in pcretest, which is "nice to fix" but not THAT
important?

4) PCRE (2) is already under oss-fuzz.

--
You are receiving this mail because:
You are on the CC list for the bug.