Bug 373021 - (CVE-2006-7224) CVE-2006-7224 pcre multiple integer overflows
CVE-2006-7224 pcre multiple integer overflows
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20071108,public=2...
: Security
Depends On: 373421 373431 373441 373451 378401 CVE-2006-7227 CVE-2005-4872 CVE-2006-7228
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-09 10:45 EST by Tomas Hoger
Modified: 2016-03-04 06:18 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-11 12:40:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-11-09 10:45:25 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-7224 to the following vulnerability:

Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 6.7 allow context-dependent attackers to execute arbitrary code via a regular expression containing (1) a large number of named subpatterns (name_count), (2) long subpattern names (max_name_size), (3) a repeated subpattern with a long name, or (4) an unspecified vector involving the (a) max, (b) min, and (c) duplength variables in the length calculation in pcre_compile.

References:

http://scary.beasts.org/security/CESA-2007-006.html
http://www.pcre.org/changelog.txt
http://secunia.com/advisories/27582
Comment 1 Tomas Hoger 2007-11-09 11:06:33 EST
Integer overflow mentioned in 1) of CESA-2007-006 occurs in named subpattern
handling code.  Named subpatterns were introduced in PCRE 4.0 (see pcre(3)) and
problem was addressed in release 6.7 by using hard-coded limits on maximal
length of subpattern name and maximal subpattern count.

Reference in PCRE changelog for version 6.7:

10. There was no check on the number of named subpatterns nor the maximum
    length of a subpattern name. The product of these values is used to compute
    the size of the memory block for a compiled pattern. By supplying a very
    long subpattern name and a large number of named subpatterns, the size
    computation could be caused to overflow. This is now prevented by limiting
    the length of names to 32 characters, and the number of named subpatterns
    to 10,000.

Limits are set in config.h:

#define MAX_NAME_SIZE 32
#define MAX_NAME_COUNT 10000


Issue 2) in CESA-2007-006 does not seem related to integer overflow described in
1) and does not seem to affect our PCRE 6.6, 7.0 or 7.3.
Comment 13 Tomas Hoger 2007-11-13 12:14:38 EST
Second issue is following change from 6.2:

 5. Named capturing subpatterns were not being correctly counted when a pattern
    was compiled. This caused two problems: (a) If there were more than 100
    such subpatterns, the calculation of the memory needed for the whole
    compiled pattern went wrong, leading to an overflow error. (b) Numerical
    back references of the form \12, where the number was greater than 9, were
    not recognized as back references, even though there were sufficient
    previous subpatterns.
Comment 14 Tomas Hoger 2007-11-13 12:23:08 EST
Third issue should be following change from 6.7:

11. Subpatterns that are repeated with specific counts have to be replicated in
    the compiled pattern. The size of memory for this was computed from the
    length of the subpattern and the repeat count. The latter is limited to
    65535, but there was no limit on the former, meaning that integer overflow
    could in principle occur. The compiled length of a repeated subpattern is
    now limited to 30,000 bytes in order to prevent this.
Comment 23 Josh Bressers 2007-11-14 15:55:53 EST
This CVE id should not be used.  Please see

bug 383341 - CVE-2006-7227
bug 383361 - CVE-2005-4827
bug 383371 - CVE-2006-7228
Comment 24 Mark J. Cox (Product Security) 2007-11-15 05:17:47 EST
Typo above, should be CVE-2005-4872 not CVE-2005-4827


Comment 25 Tomas Hoger 2008-01-11 12:40:42 EST
This CVE id was split to three, each covering one issue:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-2006-7227, CVE-2005-4872, CVE-2006-7228.
Reason: this candidate was SPLIT into other identifiers in order to reflect
different affected versions and distinct vendor fixes.
Notes: All CVE users should consult CVE-2006-7227, CVE-2005-4872, and
CVE-2006-7228 to determine which ID is appropriate. All references and
descriptions in this candidate have been removed to prevent accidental usage.

CVE-2006-7227, CVE-2005-4872, CVE-2006-7228 were addressed in errata for
affected product versions.

Note You need to log in before you can comment on or make changes to this bug.