Vigil@nce: PCRE, buffer overflow via an option
July 2008 by Vigil@nce
SYNTHESIS
When attacker can change the regular expression used by a program,
he can corrupt its memory in order for example to execute code.
Gravity: 1/4
Consequences: user access/rights, denial of service of service
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 03/07/2008
Identifier: VIGILANCE-VUL-7926
IMPACTED PRODUCTS
– Fedora [confidential versions]
– Unix - plateform
DESCRIPTION
The PCRE library implements Perl compatible regular expressions
(different than POSIX).
An option, such as "i" to indicate to ignore the character case,
can be added at the beginning of the expression. For example:
/(?i)a|b/
However, if the expression has several branches, the size of a
branch is incorrectly computed which leads to a heap overflow.
When attacker can change the regular expression used by a program,
he can thus execute code.
CHARACTERISTICS
Identifiers: 452079, CVE-2008-2371, FEDORA-2008-6025,
FEDORA-2008-6048, VIGILANCE-VUL-7926