Bug 383341 - (CVE-2006-7227) CVE-2006-7227 pcre integer overflow
CVE-2006-7227 pcre integer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=cve,reported=20071108,public=2...
: Security
Depends On: 411731 413871 414271
Blocks: CVE-2006-7224
  Show dependency treegraph
 
Reported: 2007-11-14 15:49 EST by Josh Bressers
Modified: 2016-03-04 06:21 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-11 12:37:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-11-14 15:49:21 EST
CVE-2006-7224 initially described several integer overflows in pcre, all
described here:
http://scary.beasts.org/security/CESA-2007-006.html

This id should be used to describe issue #1 in that advisory:

1) Integer overflow leading to buffer overflow.

pcre_compile:
---
/* Compute the size of data block needed and get it, either from malloc or
externally provided function. */

size = length + sizeof(real_pcre) + name_count * (max_name_size + 3);
re = (real_pcre *)(pcre_malloc)(size);
---

Unfortunately, a malicious regex can easily cause large "name_count" and
"max_name_size" such that this calculation overflows. Demo:

(?P)(?P<0>)(?P<1>)...fill in this sequence...(?P<4293>)
Comment 1 Tomas Hoger 2007-11-15 05:54:14 EST
Reference in PCRE changelog for version 6.7:

10. There was no check on the number of named subpatterns nor the maximum
    length of a subpattern name. The product of these values is used to compute
    the size of the memory block for a compiled pattern. By supplying a very
    long subpattern name and a large number of named subpatterns, the size
    computation could be caused to overflow. This is now prevented by limiting
    the length of names to 32 characters, and the number of named subpatterns
    to 10,000.
Comment 5 Red Hat Product Security 2008-01-11 12:37:47 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-1052.html

Note You need to log in before you can comment on or make changes to this bug.