Red Hat Bugzilla – Bug 373021
CVE-2006-7224 pcre multiple integer overflows
Last modified: 2016-03-04 06:18:17 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-7224 to the following vulnerability:
Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 6.7 allow context-dependent attackers to execute arbitrary code via a regular expression containing (1) a large number of named subpatterns (name_count), (2) long subpattern names (max_name_size), (3) a repeated subpattern with a long name, or (4) an unspecified vector involving the (a) max, (b) min, and (c) duplength variables in the length calculation in pcre_compile.
Integer overflow mentioned in 1) of CESA-2007-006 occurs in named subpattern
handling code. Named subpatterns were introduced in PCRE 4.0 (see pcre(3)) and
problem was addressed in release 6.7 by using hard-coded limits on maximal
length of subpattern name and maximal subpattern count.
Reference in PCRE changelog for version 6.7:
10. There was no check on the number of named subpatterns nor the maximum
length of a subpattern name. The product of these values is used to compute
the size of the memory block for a compiled pattern. By supplying a very
long subpattern name and a large number of named subpatterns, the size
computation could be caused to overflow. This is now prevented by limiting
the length of names to 32 characters, and the number of named subpatterns
Limits are set in config.h:
#define MAX_NAME_SIZE 32
#define MAX_NAME_COUNT 10000
Issue 2) in CESA-2007-006 does not seem related to integer overflow described in
1) and does not seem to affect our PCRE 6.6, 7.0 or 7.3.
Second issue is following change from 6.2:
5. Named capturing subpatterns were not being correctly counted when a pattern
was compiled. This caused two problems: (a) If there were more than 100
such subpatterns, the calculation of the memory needed for the whole
compiled pattern went wrong, leading to an overflow error. (b) Numerical
back references of the form \12, where the number was greater than 9, were
not recognized as back references, even though there were sufficient
Third issue should be following change from 6.7:
11. Subpatterns that are repeated with specific counts have to be replicated in
the compiled pattern. The size of memory for this was computed from the
length of the subpattern and the repeat count. The latter is limited to
65535, but there was no limit on the former, meaning that integer overflow
could in principle occur. The compiled length of a repeated subpattern is
now limited to 30,000 bytes in order to prevent this.
This CVE id should not be used. Please see
bug 383341 - CVE-2006-7227
bug 383361 - CVE-2005-4827
bug 383371 - CVE-2006-7228
Typo above, should be CVE-2005-4872 not CVE-2005-4827
This CVE id was split to three, each covering one issue:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-2006-7227, CVE-2005-4872, CVE-2006-7228.
Reason: this candidate was SPLIT into other identifiers in order to reflect
different affected versions and distinct vendor fixes.
Notes: All CVE users should consult CVE-2006-7227, CVE-2005-4872, and
CVE-2006-7228 to determine which ID is appropriate. All references and
descriptions in this candidate have been removed to prevent accidental usage.
CVE-2006-7227, CVE-2005-4872, CVE-2006-7228 were addressed in errata for
affected product versions.