oss-sec mailing list archives
Re: Heap Overflow in PCRE
From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Tue, 24 Nov 2015 12:57:09 +0100
Hanno Böck <hanno () hboeck de> wrote:
https://blog.fuzzing-project.org/29-Heap-Overflow-in-PCRE.html The Perl Compatible Regular Expressions (PCRE) library has just released a new version which fixes a number of security issues. Fuzzing the pcretest tool uncovered an input leading to a heap overflow in the function pcre_exec. This bug was found with the help of american fuzzy lop and address sanitizer. https://bugs.exim.org/show_bug.cgi?id=1637 Upstream bug #1637 (PoC and ASAN trace attached there) This is fixed in PCRE 8.38. There are two variants of PCRE, the classic one and PCRE2. PCRE2 is not affected. https://lists.exim.org/lurker/message/20151123.125009.80e5ac05.en.html Appart from that a couple of other vulnerabilities found by other people have been fixed in this release: https://bugs.exim.org/show_bug.cgi?id=1672 Heap overflow in compile_regex https://bugs.exim.org/show_bug.cgi?id=1515 Stack overflow in compile_regex https://bugs.exim.org/show_bug.cgi?id=1667 Heap overflow in compile_regex If you use PCRE to parse untrusted inputs you should update immediately.
The last sentence seems overly broad to me as many (most?) applications use trusted PCRE patterns (that get parsed and executed) to parse untrusted input. For this use case the issues above don't seem to require immediate action. Fabian
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Heap Overflow in PCRE Hanno Böck (Nov 24)
- Re: Heap Overflow in PCRE Moritz Muehlenhoff (Nov 24)
- Re: Heap Overflow in PCRE Hanno Böck (Nov 24)
- Re: Heap Overflow in PCRE Fabian Keil (Nov 24)
- Re: Heap Overflow in PCRE Hanno Böck (Nov 24)
- Re: Heap Overflow in PCRE Fabian Keil (Nov 25)
- Re: Heap Overflow in PCRE Hanno Böck (Nov 24)
- Re: Heap Overflow in PCRE cve-assign (Nov 28)
- Re: Re: Heap Overflow in PCRE Michal Zalewski (Nov 28)
- Re: Heap Overflow in PCRE cve-assign (Nov 29)
- Re: Re: Heap Overflow in PCRE Tomas Hoger (Nov 30)
- Re: Re: Heap Overflow in PCRE Michal Zalewski (Nov 28)
- Re: Heap Overflow in PCRE cve-assign (Dec 01)
- Re: Re: Heap Overflow in PCRE Salvatore Bonaccorso (Dec 02)
- Re: Heap Overflow in PCRE cve-assign (Dec 02)
- Re: Re: Heap Overflow in PCRE Jakub Wilk (Dec 03)
- Re: Heap Overflow in PCRE Moritz Muehlenhoff (Nov 24)