Date: Wed, 19 Aug 2015 11:28:38 +0800 From: Guanxing Wen <wengx522@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: PCRE Library Heap Overflow Vulnerability Hi Mitre, Just a re-ping on this issue. It has been fixed: http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1584&r2=1585 Also the description for issue is listed in the changelog: http://vcs.pcre.org/pcre/code/trunk/ChangeLog?r1=1584&r2=1585 Wen Guanxing from Venustech ADLAB 2015-08-06 0:55 GMT+08:00 Guanxing Wen <wengx522@...il.com>: > PCRE is a regular expression C library inspired by the regular expression > capabilities in the Perl programming language. The PCRE library is > incorporated into a number of prominent programs, such as Adobe Flash, > Apache, Nginx, PHP. > > PCRE library is prone to a vulnerability which leads to Heap Overflow. > During the compilation of a malformed regular expression, more data is > written on the malloced block than the expected size output by > compile_regex. Exploits with advanced Heap Fengshui techniques may allow an > attacker to execute arbitrary code in the context of the user running the > affected application. > > Reference: > https://bugs.exim.org/show_bug.cgi?id=1667 > > Could you assign a CVE-ID for this? > > Thank you && Regards. > > Wen Guanxing from Venustech ADLAB >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ