LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

pcre: CVE consolidation

Package(s):pcre CVE #(s):CVE-2005-4872 CVE-2006-7227 CVE-2006-7224
Created:November 15, 2007 Updated:May 13, 2008
Description: PCRE has flaws in the way it handles malformed regular expressions. If an application linked against PCRE, such as Konqueror, encounters a maliciously created regular expression, it may be possible to run arbitrary code. Vulnerabilities CVE-2005-4872 and CVE-2006-7227 have been combined into CVE-2006-7224.
Alerts:
Gentoo 200805-11 2008-05-12
Debian DSA-1570-1 2008-05-06
Mandriva MDVSA-2008:030 2008-01-31
SuSE SUSE-SA:2008:004 2008-01-29
Gentoo 200711-30 2007-11-20
SuSE SUSE-SA:2007:062 2007-11-23
Red Hat RHSA-2007:1052-02 2007-11-15
(Log in to post comments)

pcre: CVE consolidation

Posted Nov 29, 2007 12:03 UTC (Thu) by jfj (guest, #37917) [Link] 

Duh! Does "konqueror" use regular expressions from the internet or it has a standard set of
builtin regular expressions created by its programmers?

I think that there is NO program that uses untrusted regexps. For one it would be easy to DoS
a machine with a simple recursive repetitioner! It is the same like saying that "a C compiler
is a security vunerability because it can lead to the execution of code".

NOBODY DOES THAT. Please. Not every buffer overflow is a security vunerability!

pcre: CVE consolidation

Posted Nov 29, 2007 16:32 UTC (Thu) by nix (subscriber, #2304) [Link] 

Well, it would let you parlay the (obviously always possible) DoS attack 
into an arbitrary code execution.

So this is, in a sense, a security vulnerability, if PCRE is used in a 
really, really stupid way.

pcre: CVE consolidation

Posted Nov 29, 2007 20:28 UTC (Thu) by jfj (guest, #37917) [Link] 

That is "ability to shoot self in the foot" :)

Seriously, I wish alerts would be categorized as follows:

1) Affects single-user systems with data fed from network (for example libpng, xpdf, firefox
vulns)
2) Affects multi-user systems with untrusted users who are always looking for a way to hack
the root (tempfile permissions, local kernel DoS, etc)
3) Affects people who do stupid things anyway and are not exploitable unless the attacker
knows that the user is going to do the stupid thing.

It would make it easier to see throught the noise.

pcre: CVE consolidation

Posted Feb 5, 2008 8:21 UTC (Tue) by robbe (guest, #16131) [Link] 

> Does "konqueror" use regular expressions from the internet [...]?

For konqueror this seems far-fetched, but maybe the JavaScript engine uses PCRE?

> NOBODY DOES THAT.

Be more imaginative, think web-applications! php offers PCRE. It also limits the runtime of a
script, so a DoS is not that devastating (admins may not even notice). Code execution is much
worse.

pcre: CVE consolidation

Posted Dec 11, 2007 19:53 UTC (Tue) by kreutzm (subscriber, #4700) [Link]

First, according to MITRE, the CVEs havn't been combined, but rather CVE-2006-7224 has been split up. Secondly, both Debian Stable as well as Oldstable contain versions newer than those vulnerable, i.e. Debian is not affected.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds