Re: CVE Request: Information disclosure in pcre

[Shannon Sabens <zdi-disclosures () tippingpoint com>]

Hello,

Re-ping on this?

Thank you.

Shannon

On 8/3/2015 11:21 PM, Huzaifa Sidhpurwala wrote:
> Hi All,
>
> It was reported that pcre_exec in PHP pcre extenstion partially
> initialize a buffer when an invalid regex is processed, which can lead
> to an arbitrary code execution.
>
> https://bugs.exim.org/show_bug.cgi?id=1537
>
> This patch has been committed upstream via:
> http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510
>
> And is a part of upstream release pcre-8.37
>
> This was initially reported by ZDI (ZDI-CAN-2547), but it seems there
> was no follow-up.
>
> Can a CVE id be please assigned to this issue?