https://bugs.exim.org/show_bug.cgi?id=2778
--- Comment #3 from Giuseppe D'Angelo <dangelog@???> ---
1) PCRE 8 has reached EOL, so no bugs against it will be fixed. Please always
test the *latest* PCRE2 10.XX.
2) pcretest is not a tool an attacker can use, it's an internal tool for PCRE's
own testing. It's OK to point out to a bug inside PCRE by providing an input to
pcretest ("if you run this regexp on this input => this bad thing happens").
It's even OK to point out at a bug inside pcretest itself ("if you run it on
this input it crashes"). It's NOT OK to claim a possible security issue, like a
heap overflow, if this is happening inside pcretest itself. As I said, it's not
a security sensitive application.
3) This is clearly a duplicate of PR 2052 and as mention of CVE-2017-7186
shows. Why are you opening bug reports for very old vulnerabilities? Are you
running PCRE under a fuzzer + ASAN in order to look for security isues? Is it
to test some new fuzzing technology? If so, you should build a minimal C
application and stress-test the API (pcre_compile, pcre_exec and so on); *not*
pcretest.
You can of course test pcretest, but the any bug you find has to be
appropriately targeted -- did you find a bug in the API, which *is* a security
issue, or did you find a bug in pcretest, which is "nice to fix" but not THAT
important?
4) PCRE (2) is already under oss-fuzz.
--
You are receiving this mail because:
You are on the CC list for the bug.
