Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Nov 2015 21:06:01 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Hanno Böck <hanno@...eck.de>, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: Re: Heap Overflow in PCRE

> Most PCRE findings have a requirement that the attacker is able to
> provide an arbitrary regular expression in a way that crosses a
> privilege boundary.
> http://www.pcre.org/current/doc/html/pcre2pattern.html implies that
> this is relevant to the PCRE security model, i.e., the reference to
> "applications that allow their users to supply patterns." We've
> mentioned this before in
> http://www.openwall.com/lists/oss-security/2015/09/08/8 but we're
> still unaware of any specific application that meets this requirement

Languages such as Flash or JavaScript, where untrusted parties are
allowed to specify regular expression patterns that are compiled by an
underlying regex library - be it PCRE or something else. Examples:

https://code.google.com/p/google-security-research/issues/detail?id=225
https://code.google.com/p/google-security-research/issues/detail?id=208

/mz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ