Hi Ola,
On Wed, Mar 22, 2017 at 2:55 PM, Ola Lundqvist <ola@inguza.com> wrote:
> Hi
>
> I have not tried to reproduce this myself so I'm not sure.
>
> I suggest you also check the source code to see if the vulnerability is
> there but just some slightly different data.
That's where I've started, and found that Erlang in wheezy uses pretty old
libpcre (version 7.6), and its sources are very different from the 8.33
in sid. So, I've tried to find the offending regexp, and seems to find one
in PCRE sources (as one of the tests). It works fine in wheezy.
>
> If you are sure wheezy is not vulnerable then we can mark wheezy as not
> affected by this CVE.
I still can't reliably tell if the regexp I've found is the one which is tied to
CVE-2006-10253. Or it's another crash in PCRE in Erlang.
There are 4 pull requests which claim to fix some overflows (see
https://bugs.erlang.org/browse/ERL-208 for the list). The one explicitly
marked as fixing CVE-2006-10253 (https://github.com/erlang/otp/pull/1384 )
doesn't fix the crash with my regexp. Another patch
(https://github.com/erlang/otp/pull/1108/files )
does fix the crash. Also, CVE itself contains a link to the last patch, so
probably that's it. In this case wheezy isn't vulnerable (backport is, I'll
deal with it later).
Cheers!
--
Sergei Golovan