[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: reproducing the recent PCRE issues


I've tried to reproduce the PCRE3 issues from CVE-2017-7186.
CVE-2017-7244, CVE-2017-7245 and CVE-2017-7246 are similar fuzzing
attacks so this probably applies to those as well.

Thanks for looking at these. I fixed CVE-2017-7186 with upstream's patch in sid. It's unfortunate that upstream don't seem keen on referring to CVE numbers, but I think they correspond roughly thus:

CVE-2017-7186 - 2052 https://bugs.exim.org/show_bug.cgi?id=2052
CVE-2017-7244 - 2054 (upstream thinks duplicate of 2052 or 2044
CVE-2017-7245 - 2055
CVE-2017-7246 - 2057

So 2054 is either a duplicate of 2052 which we have fixed or 2044, which is in pcretest which we don't ship from PCRE3.

The latter 2 upstream describe as "fixed by recent patches", although it's not entirely clear to me which patches upstream means - pcre_get.c hasn't changed since r1651 if svn log is to be believed. And there aren't many plausible-looking commits since 8.40 was released - so I think upstream thinks these issues apply only to pcretest (which has had some patches since 8.40, but we don't ship in any case).

*If* that's correct, then we don't need to do any more for sid's pcre3, I think.



Reply to: