Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Nov 2015 21:06:01 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Hanno Böck <hanno@...eck.de>, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: Re: Heap Overflow in PCRE

> Most PCRE findings have a requirement that the attacker is able to
> provide an arbitrary regular expression in a way that crosses a
> privilege boundary.
> http://www.pcre.org/current/doc/html/pcre2pattern.html implies that
> this is relevant to the PCRE security model, i.e., the reference to
> "applications that allow their users to supply patterns." We've
> mentioned this before in
> http://www.openwall.com/lists/oss-security/2015/09/08/8 but we're
> still unaware of any specific application that meets this requirement

Languages such as Flash or JavaScript, where untrusted parties are
allowed to specify regular expression patterns that are compiled by an
underlying regex library - be it PCRE or something else. Examples:

https://code.google.com/p/google-security-research/issues/detail?id=225
https://code.google.com/p/google-security-research/issues/detail?id=208

/mz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.