Date: Mon, 1 Jun 2015 21:49:50 +0800 From: "wen_guanxing" <wen_guanxing@...ustech.com.cn> To: "oss-security" <oss-security@...ts.openwall.com> Subject: CVE-2015-3210: PCRE Library Heap Overflow Vulnerability Can't figure out what's going on with the text format, what a mess :( So here is short version, hopping everything goes well. PCRE is a regular expression C library inspired by the regular expression capabilities in the Perl programming language. The PCRE library is incorporated into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP. PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compile_regex. Exploits with advanced Heap Fengshui techniques may allow an attacker to execute arbitrary code in the context of the user running the affected application. Reference: https://bugs.exim.org/show_bug.cgi?id=1636 Please note that this (and couple of other issues discovered by fuzzing) is fixed in the source tree. Wen Guanxing from Venustech ADLAB is credited for this vulnerability. [ CONTENT OF TYPE text/html SKIPPED ] [ CONTENT OF TYPE application/octet-stream SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ