Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <55C059F6.6050904@redhat.com>
Date: Tue, 4 Aug 2015 11:51:42 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com,
        Mitre CVE assign department <cve-assign@...re.org>
Cc: zdi-disclosures@...pingpoint.com
Subject: CVE Request: Information disclosure in pcre

Hi All,

It was reported that pcre_exec in PHP pcre extenstion partially
initialize a buffer when an invalid regex is processed, which can lead
to an arbitrary code execution.

https://bugs.exim.org/show_bug.cgi?id=1537

This patch has been committed upstream via:
http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510

And is a part of upstream release pcre-8.37

This was initially reported by ZDI (ZDI-CAN-2547), but it seems there
was no follow-up.

Can a CVE id be please assigned to this issue?

-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.