Bug 307451 - Multiple PCRE flaws
Summary: Multiple PCRE flaws
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: CVE-2007-1659 CVE-2007-1660 378411 CVE-2007-4766 CVE-2007-4767 CVE-2007-4768 CVE-2007-1662 CVE-2007-1661
TreeView+ depends on / blocked
Reported: 2007-09-26 17:32 UTC by Josh Bressers
Modified: 2019-09-29 12:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-03-06 17:06:21 UTC

Attachments (Terms of Use)
Testsuite extracted from the pcre 7.4 release. (130.76 KB, application/x-gzip)
2007-09-27 18:14 UTC, Josh Bressers
no flags Details

Description Josh Bressers 2007-09-26 17:32:22 UTC
Tavis Ormandy of the Google Security Team reported multiple pcre regular
expressions flaws.  Here are the details pasted from Tavis' mail:

unmatched \Q\E sequences with orphan \E codes can cause the compiled
regex to become desynchronized, resulting in corrupt bytecode that may
result in multiple exploitable conditions. This was inadvertently
fixed by the pcre maintainer in version 7.0, however another case of a
lone \E inside a character class remained, this has been fixed in 7.3

multiple forms of character class had their sizes miscalculated on
initial passes, resulting in too little memory being allocated, this
was also inadvertently fixed in version 7.0, where the compile phase
was entirely re-engineered (and much improved, from a security

multiple patterns of the form  \X?\d or \P{L}?\d in non-UTF-8 mode
could backtrack before the start of the string, possibly leaking
information from the address space, or causing a crash by reading out
of bounds.

a number of routines can be fooled into reading past the end of an
string looking for unmatched parentheses or brackets, resulting in a
denial of service.

Multiple integer overflows in the processing of escape sequences could
result in heap overflows or out of bounds reads/writes.

Multiple infinite loops and heap overflows were disovered in the
handling of \P and \P{x} sequences, where the length of these
non-standard operations was mishandled.

Character classes containing a lone unicode sequence were incorrectly
optimised, resulting in a heap overflow.

Comment 4 Josh Bressers 2007-09-27 18:14:11 UTC
Created attachment 208861 [details]
Testsuite extracted from the pcre 7.4 release.

This testsuite has been modified to run on any system with pcre installed.

Comment 7 Mark J. Cox 2007-10-29 10:13:31 UTC
Note from Tavis Ormandy

CVE-2007-2467 is a typo, should be CVE-2007-4767
CVE-2007-2468 is a typo, should be CVE-2007-4768

Comment 8 Tomas Hoger 2007-11-12 18:03:45 UTC
All issues are public now, lifting embargo.

Comment 9 Tomas Hoger 2008-03-06 17:06:21 UTC
Bugs for each issue is closed now, closing this one as well.

Note You need to log in before you can comment on or make changes to this bug.