oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: PCRE Library Heap Overflow Vulnerability

From: cve-assign () mitre org
Date: Sat, 2 Jan 2016 17:49:14 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


PCRE library is prone to a vulnerability which leads to Heap Overflow.
During the compilation of a malformed regular expression, more data is
written on the malloced block than the expected size output by
compile_regex. Carefully crafted my lead to code execution in the context
of affected applications.



https://bugs.exim.org/show_bug.cgi?id=1767



5 more bytes are written on the heap in this case.
This overflow can be used to modify adjacent length field of array/vector/string



PCRE version 8.38 are confirmed to be vulnerable.


Use CVE-2016-1283.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWiFNmAAoJEL54rhJi8gl5DxYP+QG19qjSea0lHZ+Knn1XYKfH
Nns/bUDLZdU2w8CfcDR+DZub7q1l6jO/Ab6ZFMf9WwgnY1Nr6kwotmImTAzehWwh
U4nrl1a/ip5v2Etjvs9Etye64qPN6swtEIn/afqmq9/1FU/ezAWOERGbS9o149j9
0ROvCnzNOqvtFCVKaj/aszNFLk0//PWCHup7BYklUsP5OcKObvlawtdemUtF+QOy
hf5sa2MyBkZkSk8B7HgyB5C9KkoQ8EF1Jos7uQwfEhr0+YU5l2fSz4+ntASaha4b
W5T9d6ukZEzxpBdIWvGbLrXfDwHnf0vF+Pi1XuTrcfKRzyYngdXzodgwy9/7Muyd
fH/niuu4lgMBBQ1ARNaVPcV025unxjesnx8Xt/fcBx6WZsR230A1Yylx0QBl578t
5ezyNAxng8taaCbkwcqoogOXqEP3hPQwHN22guF+RiJJaw54wK+s02zJFgmQlJQT
drJtpkHyHCnmwAwIE/wibm6ettm4u/HKUN1+ficouWIgYHVCcghtP805BFFKYwGg
PxEc8UnRzWDq6nd4BfVL7HwDw4PHO+XIQf/rfBoGYNQTEAFhqzxKbGzWJFlcSD/4
kx16tNsZIQPyQD+Y0CvAveAJqdY/Miby9/c9d+AgqVrojsp7xYyxAUZqt1Sq2sJA
ln+0g6gYiUgyNVG1aNwH
=dcc/
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: