Date: Mon, 29 Feb 2016 16:26:48 -0500 (EST) From: cve-assign@...re.org To: amaris@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Heap buffer overflow in pcretest -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Heap-based buffer overread caused by specially crafted input triggering > infinite loop in pcretest.c Can you clarify the threat model for an infinite loop caused by the pcretest.c source code? Our understanding is that pcretest and pcre2test are standalone command-line programs; they are not normally linked into applications that use the PCRE library. This type of bug in pcretest or pcre2test might not have any common associated use case in which an unattended process receives untrusted patterns, and uses a huge amount of CPU time before anyone notices. In other words, a person who has any awareness of running pcretest or pcre2test could observe the long run time, and could apparently recover from the bug by removing the problematic patterns from the set of input patterns, and then running the program again. Obviously, some infinite-loop issues have CVE ID assignments but they are almost always issues in which the use case is realistically unattended (kernel, daemons, CGI scripts, web browsers, network-monitoring tools, general-purpose library code, etc.). If a pattern can result in code execution when pcretest or pcre2test is executed with untrusted input, then a CVE ID could be considered. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJW1LMNAAoJEL54rhJi8gl5JIsP/jgsHL19qJdWD8LwgxXqlhSp 4WhvoC0kxG/vwKLMKMWh/ofKvV4qF5JY7lpX3s5JFsoZ4FZbizGiPFOYCcF7q/d+ lwBUmyalBjzqaQReuFvS+TZaNVgVUzlaJ40E0E6d3NoTfZCrD28N+ciVzDKpS2SX Fz0svDJMYANQz5Yl15uRMC+3RNkQtLoomxXpO3IhQwboCbmEE2XJUXU0xXBATVHf qhzyGsMGa8GRdtKzPY4vYMuGnbfVkCbNzitxjIvFS8zbWtx+ZtqIRiPEFJgwYdRN F6REM9tSIDtobLp31+PJrez4AVDT28khm7xjOmcEjtG4zBWQ2iJ/LiuqJzpjWOPR NWZjghKZ3pMRIa8h7ygKWHhaYwD9AeSFD3yfyh9gMMqpx65a+QZF7sUlSOkO9bWA NOsr3U8c0Vfnf+gsk+SznvaQGTfrL2orKrYh8fIpO8HKiUQwxKUYbvuuHnJJg9Mf p+FLM9DploIuGcig4lZ00wi4JzQzCoQdjSpsYMf9xG7pTJzj2qjR3P74RSMax/CY bkLGz7J0eE+Ztfxantgajl4jOW0nBx9XcJjV2hstvwYVNkDkrWXw93zbPlMVAajm hQ+sEJyJN1ggENvM+pyGDVC2e03eeh1WOiQyzR9Y4hbQ+HXkphhQqLsp6FYs3ymA OvK05MdCdUMXe0k14PeN =mSgo -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ