oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: PCRE Library Heap Overflow Vulnerability

From: Guanxing Wen <wengx522 () gmail com>
Date: Wed, 19 Aug 2015 11:28:38 +0800
Hi Mitre,
Just a re-ping on this issue.

It has been fixed:
http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1584&r2=1585

Also the description for issue is listed in the changelog:
http://vcs.pcre.org/pcre/code/trunk/ChangeLog?r1=1584&r2=1585


Wen Guanxing from Venustech ADLAB


2015-08-06 0:55 GMT+08:00 Guanxing Wen <wengx522 () gmail com>:


PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is
incorporated into a number of prominent programs, such as Adobe Flash,
Apache, Nginx, PHP.

PCRE library is prone to a vulnerability which leads to Heap Overflow.
During the compilation of a malformed regular expression, more data is
written on the malloced block than the expected size output by
compile_regex. Exploits with advanced Heap Fengshui techniques may allow an
attacker to execute arbitrary code in the context of the user running the
affected application.

Reference:
https://bugs.exim.org/show_bug.cgi?id=1667

Could you assign a CVE-ID for this?

Thank you && Regards.

Wen Guanxing from Venustech ADLAB
Previous By Date Next
Previous By Thread Next

Current thread: