Bug 384801 (CVE-2006-7230)
| Summary: | CVE-2006-7230 pcre miscalculation of memory requirements if options are changed during pattern compilation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | kasal, omoris, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.pcre.org/changelog.txt | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-11 17:34:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 380511, 380521, 380531, 380541, 411731, 413871, 414271 | ||
| Bug Blocks: | |||
Now public via SUSE advisory, removing embargo This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-1059.html http://rhn.redhat.com/errata/RHSA-2007-1068.html |
From pcre changelog, version 7.0: 4. Fixed a major bug that caused incorrect computation of the amount of memory required for a compiled pattern when options that changed within the pattern affected the logic of the preliminary scan that determines the length. The relevant options are -x, and -i in UTF-8 mode. The result was that the computed length was too small. The symptoms of this bug were either the PCRE error "internal error: code overflow" from pcre_compile(), or a glibc crash with a message such as "pcretest: free(): invalid next size (fast)". Examples of patterns that provoked this bug (shown in pcretest format) are: /(?-x: )/x /(?x)(?-x: \s*#\s*)/ /((?i)[\x{c0}])/8 /(?i:[\x{c0}])/8 HOWEVER: Change 17 below makes this fix obsolete as the memory computation is now done differently. Acknowledgements: Red Hat would like to thank Ludwig Nussel for reporting this issue.