LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

pcre: CVE consolidation

pcre: CVE consolidation

Posted Nov 29, 2007 12:03 UTC (Thu) by jfj (guest, #37917)
Parent article: pcre: CVE consolidation 

Duh! Does "konqueror" use regular expressions from the internet or it has a standard set of
builtin regular expressions created by its programmers?

I think that there is NO program that uses untrusted regexps. For one it would be easy to DoS
a machine with a simple recursive repetitioner! It is the same like saying that "a C compiler
is a security vunerability because it can lead to the execution of code".

NOBODY DOES THAT. Please. Not every buffer overflow is a security vunerability!

(Log in to post comments)

pcre: CVE consolidation

Posted Nov 29, 2007 16:32 UTC (Thu) by nix (subscriber, #2304) [Link] 

Well, it would let you parlay the (obviously always possible) DoS attack 
into an arbitrary code execution.

So this is, in a sense, a security vulnerability, if PCRE is used in a 
really, really stupid way.

pcre: CVE consolidation

Posted Nov 29, 2007 20:28 UTC (Thu) by jfj (guest, #37917) [Link] 

That is "ability to shoot self in the foot" :)

Seriously, I wish alerts would be categorized as follows:

1) Affects single-user systems with data fed from network (for example libpng, xpdf, firefox
vulns)
2) Affects multi-user systems with untrusted users who are always looking for a way to hack
the root (tempfile permissions, local kernel DoS, etc)
3) Affects people who do stupid things anyway and are not exploitable unless the attacker
knows that the user is going to do the stupid thing.

It would make it easier to see throught the noise.

pcre: CVE consolidation

Posted Feb 5, 2008 8:21 UTC (Tue) by robbe (guest, #16131) [Link] 

> Does "konqueror" use regular expressions from the internet [...]?

For konqueror this seems far-fetched, but maybe the JavaScript engine uses PCRE?

> NOBODY DOES THAT.

Be more imaginative, think web-applications! php offers PCRE. It also limits the runtime of a
script, so a DoS is not that devastating (admins may not even notice). Code execution is much
worse.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds