Tavis Ormandy of the Google Security Team reported multiple pcre regular expressions flaws. Here are the details pasted from Tavis' mail: CVE-2007-1659: unmatched \Q\E sequences with orphan \E codes can cause the compiled regex to become desynchronized, resulting in corrupt bytecode that may result in multiple exploitable conditions. This was inadvertently fixed by the pcre maintainer in version 7.0, however another case of a lone \E inside a character class remained, this has been fixed in 7.3 CVE-2007-1660: multiple forms of character class had their sizes miscalculated on initial passes, resulting in too little memory being allocated, this was also inadvertently fixed in version 7.0, where the compile phase was entirely re-engineered (and much improved, from a security standpoint). CVE-2007-1661: multiple patterns of the form \X?\d or \P{L}?\d in non-UTF-8 mode could backtrack before the start of the string, possibly leaking information from the address space, or causing a crash by reading out of bounds. CVE-2007-1662: a number of routines can be fooled into reading past the end of an string looking for unmatched parentheses or brackets, resulting in a denial of service. CVE-2007-4766: Multiple integer overflows in the processing of escape sequences could result in heap overflows or out of bounds reads/writes. CVE-2007-2467: Multiple infinite loops and heap overflows were disovered in the handling of \P and \P{x} sequences, where the length of these non-standard operations was mishandled. CVE-2007-2468: Character classes containing a lone unicode sequence were incorrectly optimised, resulting in a heap overflow.
Created attachment 208861 [details] Testsuite extracted from the pcre 7.4 release. This testsuite has been modified to run on any system with pcre installed.
Note from Tavis Ormandy CVE-2007-2467 is a typo, should be CVE-2007-4767 CVE-2007-2468 is a typo, should be CVE-2007-4768
All issues are public now, lifting embargo.
Bugs for each issue is closed now, closing this one as well.