Common Vulnerabilities and Exposures assigned an identifier CVE-2006-7224 to the following vulnerability: Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 6.7 allow context-dependent attackers to execute arbitrary code via a regular expression containing (1) a large number of named subpatterns (name_count), (2) long subpattern names (max_name_size), (3) a repeated subpattern with a long name, or (4) an unspecified vector involving the (a) max, (b) min, and (c) duplength variables in the length calculation in pcre_compile. References: http://scary.beasts.org/security/CESA-2007-006.html http://www.pcre.org/changelog.txt http://secunia.com/advisories/27582
Integer overflow mentioned in 1) of CESA-2007-006 occurs in named subpattern handling code. Named subpatterns were introduced in PCRE 4.0 (see pcre(3)) and problem was addressed in release 6.7 by using hard-coded limits on maximal length of subpattern name and maximal subpattern count. Reference in PCRE changelog for version 6.7: 10. There was no check on the number of named subpatterns nor the maximum length of a subpattern name. The product of these values is used to compute the size of the memory block for a compiled pattern. By supplying a very long subpattern name and a large number of named subpatterns, the size computation could be caused to overflow. This is now prevented by limiting the length of names to 32 characters, and the number of named subpatterns to 10,000. Limits are set in config.h: #define MAX_NAME_SIZE 32 #define MAX_NAME_COUNT 10000 Issue 2) in CESA-2007-006 does not seem related to integer overflow described in 1) and does not seem to affect our PCRE 6.6, 7.0 or 7.3.
Second issue is following change from 6.2: 5. Named capturing subpatterns were not being correctly counted when a pattern was compiled. This caused two problems: (a) If there were more than 100 such subpatterns, the calculation of the memory needed for the whole compiled pattern went wrong, leading to an overflow error. (b) Numerical back references of the form \12, where the number was greater than 9, were not recognized as back references, even though there were sufficient previous subpatterns.
Third issue should be following change from 6.7: 11. Subpatterns that are repeated with specific counts have to be replicated in the compiled pattern. The size of memory for this was computed from the length of the subpattern and the repeat count. The latter is limited to 65535, but there was no limit on the former, meaning that integer overflow could in principle occur. The compiled length of a repeated subpattern is now limited to 30,000 bytes in order to prevent this.
This CVE id should not be used. Please see bug 383341 - CVE-2006-7227 bug 383361 - CVE-2005-4827 bug 383371 - CVE-2006-7228
Typo above, should be CVE-2005-4872 not CVE-2005-4827
This CVE id was split to three, each covering one issue: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-7227, CVE-2005-4872, CVE-2006-7228. Reason: this candidate was SPLIT into other identifiers in order to reflect different affected versions and distinct vendor fixes. Notes: All CVE users should consult CVE-2006-7227, CVE-2005-4872, and CVE-2006-7228 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2006-7227, CVE-2005-4872, CVE-2006-7228 were addressed in errata for affected product versions.