Date: Wed, 12 Aug 2015 13:57:38 -0700 From: Shannon Sabens <zdi-disclosures@...pingpoint.com> To: Huzaifa Sidhpurwala <huzaifas@...hat.com>, oss-security@...ts.openwall.com, Mitre CVE assign department <cve-assign@...re.org> Cc: zdi-disclosures@...pingpoint.com Subject: Re: CVE Request: Information disclosure in pcre Hello, Re-ping on this? Thank you. Shannon On 8/3/2015 11:21 PM, Huzaifa Sidhpurwala wrote: > Hi All, > > It was reported that pcre_exec in PHP pcre extenstion partially > initialize a buffer when an invalid regex is processed, which can lead > to an arbitrary code execution. > > https://bugs.exim.org/show_bug.cgi?id=1537 > > This patch has been committed upstream via: > http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510 > > And is a part of upstream release pcre-8.37 > > This was initially reported by ZDI (ZDI-CAN-2547), but it seems there > was no follow-up. > > Can a CVE id be please assigned to this issue? >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.