oss-sec mailing list archives
Re: CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks
From: Agostino Sarubbo <ago () gentoo org>
Date: Wed, 01 Nov 2017 16:29:32 +0100
On mercoledì 1 novembre 2017 03:26:56 CET 旺仔 wrote:
[Suggested description] In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Perl Compatible Regular Expressions ------------------------------------------ [Affected Product Code Base] PCRE - 8.41 ------------------------------------------ [Affected Component] file:pcre_exec.c function match() line 983 and line 2061 ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] A crash file ------------------------------------------ [Discoverer] ZHANG JIAWANG from cncertUse CVE-2017-16231.
I guess that this bug is similar or the same described here: https://bugs.exim.org/show_bug.cgi?id=2047 Based on the upstream comment I'd suggest to reject the CVE. -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks ???? (Nov 01)
- Re: CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks Bob Friesenhahn (Nov 01)
- Re: CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks Agostino Sarubbo (Nov 01)
- Re: CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks Solar Designer (Nov 01)