Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160327113907.GA4476@eldamar.local>
Date: Sun, 27 Mar 2016 13:39:07 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: Re: CVE Request: pcre: Segmentation fault on certain
 input to regular expressions with nested alternatives when JIT is used

Hi,

On Sat, Mar 26, 2016 at 08:25:55AM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> In Debian the following issue was reported (test case contained)
> 
> https://bugs.debian.org/819050
> 
> 
> On certain input when processed for regular expressions with nested
> alternatives and JIT is used, pcre3 can segfault, affecting in this
> case suricata leading to at least a denial of service.
> 
> The problem was addressed upstream with commit:
> http://vcs.pcre.org/pcre?view=revision&revision=1475
> 
> Can you assign a CVE for this issue?

Additional information for this request: The issue seems to have been
introduced with http://vcs.pcre.org/pcre?view=revision&revision=1434
in 8.35.

Note that upstream of suricata tracks the issue in suricata in
conjunction with pcre 8.35 with
https://redmine.openinfosecfoundation.org/issues/1693
to issue a warning.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.