LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

pcre: CVE consolidation

pcre: CVE consolidation

Posted Nov 29, 2007 16:32 UTC (Thu) by nix (subscriber, #2304)
In reply to: pcre: CVE consolidation by jfj
Parent article: pcre: CVE consolidation 

Well, it would let you parlay the (obviously always possible) DoS attack 
into an arbitrary code execution.

So this is, in a sense, a security vulnerability, if PCRE is used in a 
really, really stupid way.

(Log in to post comments)

pcre: CVE consolidation

Posted Nov 29, 2007 20:28 UTC (Thu) by jfj (guest, #37917) [Link] 

That is "ability to shoot self in the foot" :)

Seriously, I wish alerts would be categorized as follows:

1) Affects single-user systems with data fed from network (for example libpng, xpdf, firefox
vulns)
2) Affects multi-user systems with untrusted users who are always looking for a way to hack
the root (tempfile permissions, local kernel DoS, etc)
3) Affects people who do stupid things anyway and are not exploitable unless the attacker
knows that the user is going to do the stupid thing.

It would make it easier to see throught the noise.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds