oss-sec mailing list archives

Re: Re: Heap Overflow in PCRE

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 28 Nov 2015 21:06:01 -0800

Most PCRE findings have a requirement that the attacker is able to
provide an arbitrary regular expression in a way that crosses a
privilege boundary.
http://www.pcre.org/current/doc/html/pcre2pattern.html implies that
this is relevant to the PCRE security model, i.e., the reference to
"applications that allow their users to supply patterns." We've
mentioned this before in
http://www.openwall.com/lists/oss-security/2015/09/08/8 but we're
still unaware of any specific application that meets this requirement


Languages such as Flash or JavaScript, where untrusted parties are
allowed to specify regular expression patterns that are compiled by an
underlying regex library - be it PCRE or something else. Examples:

https://code.google.com/p/google-security-research/issues/detail?id=225
https://code.google.com/p/google-security-research/issues/detail?id=208

/mz

Current thread:

Heap Overflow in PCRE Hanno Böck (Nov 24)
- Re: Heap Overflow in PCRE Moritz Muehlenhoff (Nov 24)
  - Re: Heap Overflow in PCRE Hanno Böck (Nov 24)
- Re: Heap Overflow in PCRE Fabian Keil (Nov 24)
  - Re: Heap Overflow in PCRE Hanno Böck (Nov 24)
    - Re: Heap Overflow in PCRE Fabian Keil (Nov 25)
- Re: Heap Overflow in PCRE cve-assign (Nov 28)
  - Re: Re: Heap Overflow in PCRE Michal Zalewski (Nov 28)
    - Re: Heap Overflow in PCRE cve-assign (Nov 29)
    - Re: Re: Heap Overflow in PCRE Tomas Hoger (Nov 30)
  - Re: Heap Overflow in PCRE cve-assign (Dec 01)
    - Re: Re: Heap Overflow in PCRE Salvatore Bonaccorso (Dec 02)
    - Re: Heap Overflow in PCRE cve-assign (Dec 02)
    - Re: Re: Heap Overflow in PCRE Jakub Wilk (Dec 03)