Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 29 Nov 2015 05:58:01 -0500 (EST)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Heap Overflow in PCRE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Languages such as Flash or JavaScript, where untrusted parties are
> allowed to specify regular expression patterns that are compiled by an
> underlying regex library - be it PCRE or something else. Examples:
> 
> https://code.google.com/p/google-security-research/issues/detail?id=225
> https://code.google.com/p/google-security-research/issues/detail?id=208

This suggests an important point: CVEs could potentially be tracked by
Adobe, and thus have a relationship to systems on which the CVEs
aren't directly important to vulnerability assessment of a package
with something like pcre or libpcre in its name.

"pcre_compile.cpp" in
https://code.google.com/p/google-security-research/issues/detail?id=208
might indicate that Adobe has a fork.
http://vcs.pcre.org/pcre/code/trunk/ has the pcre_compile.c filename,
and http://vcs.pcre.org/pcre2/code/trunk/src/ has the pcre2_compile.c
filename.

JavaScript may be "something else" in most cases, e.g.,

  http://blog.chromium.org/2009/02/irregexp-google-chromes-new-regexp.html
  https://github.com/v8/v8/tree/master/src/regexp
  https://hg.mozilla.org/mozilla-central/file/tip/js/src/irregexp

We haven't looked at whether there are ever attack vectors associated
with untrusted Lua code, e.g., if the Lua code can make use of
something like https://github.com/rrthomas/lrexlib to reach vulnerable
code found in the system's libpcre package.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWWtlKAAoJEL54rhJi8gl5LOIQAMEU1DlZOAPKO5LbXfBbAeBA
BfBgJbKarzojbDdgZWa0cgT7Fz+ZlJRvmgTYnnhqhscah4jdE4/P2wM5/vn0uZfU
0NaleCEv/jEh9OfPF6DJVd/sABJ2ZcAPMzrjycuLSv1Tytl12djU6+Im/Y7VmZJX
hVJ7C5lukXTvNsV/lHPgIb9gWqlQ+EiMBM5bL0Wrmgy5n1xTq8SjqQuZsDwuP4y6
uh3/Du1DyaTGiMgy7Jw17fUJ3D77/FvmBAtyzTcBAsvpjXJ2pXLQpo1QSac/RI9u
BXZchxI5aHWfYnPOixbTIB18pdosPN8JbB/+lmQSlEMrBWSOhezk46k1lfVep5K5
yjtLyAizPbCymsZQRFVPJgZl6AUVHR17TXHeLWdXo6P4krpwk2m7GOJhSdLCedZL
OGcaz+4EIqDPAGeewjowCRDUcbJaktsOnAwSMjpONl2Q0P4tbvWK53tR7tj9xwTr
xI0M6HJol/+ppBIpwUTk6m2HrxpayXHzhmco4K6ew8xOjh+dUHAFVot5w1xuL7BR
Mxd/tQamdtfdN7be6sxK+GAf5G2HOfi8OpsO3MRMKyf0eMu34quQuhpzfLQSPc8L
LyK2sHxuBnN5corqcnkqKuEwfNYUYeARlVOub+M1EmrWM78lmoGD6i/KgMz5ZS/Z
j9ug7RgBt+78I32b76y4
=hUsw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ