Bug 384801 - (CVE-2006-7230) CVE-2006-7230 pcre miscalculation of memory requirements if options are changed during pattern compilation
CVE-2006-7230 pcre miscalculation of memory requirements if options are chang...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://www.pcre.org/changelog.txt
source=cve,reported=20071114,public=2...
: Security
Depends On: 380511 380521 380531 380541 411731 413871 414271
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-15 10:32 EST by Tomas Hoger
Modified: 2010-09-24 10:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-11 12:34:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-11-15 10:32:21 EST
From pcre changelog, version 7.0:

4. Fixed a major bug that caused incorrect computation of the amount of memory
    required for a compiled pattern when options that changed within the
    pattern affected the logic of the preliminary scan that determines the
    length. The relevant options are -x, and -i in UTF-8 mode. The result was
    that the computed length was too small. The symptoms of this bug were
    either the PCRE error "internal error: code overflow" from pcre_compile(),
    or a glibc crash with a message such as "pcretest: free(): invalid next
    size (fast)". Examples of patterns that provoked this bug (shown in
    pcretest format) are:

      /(?-x: )/x
      /(?x)(?-x: \s*#\s*)/
      /((?i)[\x{c0}])/8
      /(?i:[\x{c0}])/8

    HOWEVER: Change 17 below makes this fix obsolete as the memory computation
    is now done differently.

Acknowledgements:

Red Hat would like to thank Ludwig Nussel for reporting this issue.
Comment 5 Mark J. Cox (Product Security) 2007-11-28 05:08:59 EST
Now public via SUSE advisory, removing embargo
Comment 10 Red Hat Product Security 2008-01-11 12:34:02 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-1059.html
  http://rhn.redhat.com/errata/RHSA-2007-1068.html

Note You need to log in before you can comment on or make changes to this bug.