Bug 307451 - Multiple PCRE flaws
Multiple PCRE flaws
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: CVE-2007-1659 CVE-2007-1660 378411 CVE-2007-4766 CVE-2007-4767 CVE-2007-4768 CVE-2007-1662 CVE-2007-1661
  Show dependency treegraph
Reported: 2007-09-26 13:32 EDT by Josh Bressers
Modified: 2010-09-30 05:19 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-06 12:06:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Testsuite extracted from the pcre 7.4 release. (130.76 KB, application/x-gzip)
2007-09-27 14:14 EDT, Josh Bressers
no flags Details

  None (edit)
Description Josh Bressers 2007-09-26 13:32:22 EDT
Tavis Ormandy of the Google Security Team reported multiple pcre regular
expressions flaws.  Here are the details pasted from Tavis' mail:

unmatched \Q\E sequences with orphan \E codes can cause the compiled
regex to become desynchronized, resulting in corrupt bytecode that may
result in multiple exploitable conditions. This was inadvertently
fixed by the pcre maintainer in version 7.0, however another case of a
lone \E inside a character class remained, this has been fixed in 7.3

multiple forms of character class had their sizes miscalculated on
initial passes, resulting in too little memory being allocated, this
was also inadvertently fixed in version 7.0, where the compile phase
was entirely re-engineered (and much improved, from a security

multiple patterns of the form  \X?\d or \P{L}?\d in non-UTF-8 mode
could backtrack before the start of the string, possibly leaking
information from the address space, or causing a crash by reading out
of bounds.

a number of routines can be fooled into reading past the end of an
string looking for unmatched parentheses or brackets, resulting in a
denial of service.

Multiple integer overflows in the processing of escape sequences could
result in heap overflows or out of bounds reads/writes.

Multiple infinite loops and heap overflows were disovered in the
handling of \P and \P{x} sequences, where the length of these
non-standard operations was mishandled.

Character classes containing a lone unicode sequence were incorrectly
optimised, resulting in a heap overflow.
Comment 4 Josh Bressers 2007-09-27 14:14:11 EDT
Created attachment 208861 [details]
Testsuite extracted from the pcre 7.4 release.

This testsuite has been modified to run on any system with pcre installed.
Comment 7 Mark J. Cox (Product Security) 2007-10-29 06:13:31 EDT
Note from Tavis Ormandy

CVE-2007-2467 is a typo, should be CVE-2007-4767
CVE-2007-2468 is a typo, should be CVE-2007-4768
Comment 8 Tomas Hoger 2007-11-12 13:03:45 EST
All issues are public now, lifting embargo.
Comment 9 Tomas Hoger 2008-03-06 12:06:21 EST
Bugs for each issue is closed now, closing this one as well.

Note You need to log in before you can comment on or make changes to this bug.