Bug 373021 (CVE-2006-7224)
| Summary: | CVE-2006-7224 pcre multiple integer overflows | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | kasal, kreilly, than, zcerza |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7224 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-11 17:40:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 373421, 373431, 373441, 373451, 378401, 383341, 383361, 383371 | ||
| Bug Blocks: | |||
|
Description
Tomas Hoger
2007-11-09 15:45:25 UTC
Integer overflow mentioned in 1) of CESA-2007-006 occurs in named subpattern
handling code. Named subpatterns were introduced in PCRE 4.0 (see pcre(3)) and
problem was addressed in release 6.7 by using hard-coded limits on maximal
length of subpattern name and maximal subpattern count.
Reference in PCRE changelog for version 6.7:
10. There was no check on the number of named subpatterns nor the maximum
length of a subpattern name. The product of these values is used to compute
the size of the memory block for a compiled pattern. By supplying a very
long subpattern name and a large number of named subpatterns, the size
computation could be caused to overflow. This is now prevented by limiting
the length of names to 32 characters, and the number of named subpatterns
to 10,000.
Limits are set in config.h:
#define MAX_NAME_SIZE 32
#define MAX_NAME_COUNT 10000
Issue 2) in CESA-2007-006 does not seem related to integer overflow described in
1) and does not seem to affect our PCRE 6.6, 7.0 or 7.3.
Second issue is following change from 6.2:
5. Named capturing subpatterns were not being correctly counted when a pattern
was compiled. This caused two problems: (a) If there were more than 100
such subpatterns, the calculation of the memory needed for the whole
compiled pattern went wrong, leading to an overflow error. (b) Numerical
back references of the form \12, where the number was greater than 9, were
not recognized as back references, even though there were sufficient
previous subpatterns.
Third issue should be following change from 6.7:
11. Subpatterns that are repeated with specific counts have to be replicated in
the compiled pattern. The size of memory for this was computed from the
length of the subpattern and the repeat count. The latter is limited to
65535, but there was no limit on the former, meaning that integer overflow
could in principle occur. The compiled length of a repeated subpattern is
now limited to 30,000 bytes in order to prevent this.
This CVE id should not be used. Please see bug 383341 - CVE-2006-7227 bug 383361 - CVE-2005-4827 bug 383371 - CVE-2006-7228 Typo above, should be CVE-2005-4872 not CVE-2005-4827 This CVE id was split to three, each covering one issue: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-7227, CVE-2005-4872, CVE-2006-7228. Reason: this candidate was SPLIT into other identifiers in order to reflect different affected versions and distinct vendor fixes. Notes: All CVE users should consult CVE-2006-7227, CVE-2005-4872, and CVE-2006-7228 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2006-7227, CVE-2005-4872, CVE-2006-7228 were addressed in errata for affected product versions. |