Re: [lfs-dev] pcre

Tue, 26 Jan 2016 18:36:07 -0800 

Tim Burress wrote:

On 01/27/2016 08:29 AM, Bruce Dubbs wrote:

Should we add pcre to LFS?  Both less and grep can use it and the only
optional dependency is valgrind.


For what it's worth, and even though I include PCRE in my system, it seems
to me that the split between LFS and BLFS is a good one. Having a simple
core with as few moving parts as is practical, but then giving people the
freedom/instructions to expand beyond that as needed, is a great design.
And PCRE is complex enough that it features in a fair number of
vulnerabilities (for a recent one see CVE-2016-1283).



Interesting.  I took a look at the vulnerability, but don't understand the 
impact analysis:




The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the 
/((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ 
pattern and related patterns with named subgroups, which allows remote 
attackers to cause a denial of service (heap-based buffer overflow) or 
possibly have unspecified other impact via a crafted regular expression, 
as demonstrated by a JavaScript RegExp object encountered by Konqueror.



They specify 'Attack Vector (AV): Network' but pcre does no network 
activity.  That's in konqueror or possible one of the other applications 
like postfix or apache or php that can use pcre, not less or grep in LFS.



If we build one of those apps in BLFS, we are likely to build pcre there 
for those packages.  The location of pcre in LFS or BLFS does not seem to 
be significant.



One reference I found:  Vulnerable Systems: PCRE before 8.38, but that's 
for CVE-2015-8384.


I did do a quick test:

cat > test.php << EOF
<?php
preg_match("/((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/","WenGuanxing");
?>
EOF

$ php test.php
*** Error in `php': double free or corruption (!prev): 0x0000000001dc9460 ***


I see at https://bugs.exim.org/show_bug.cgi?id=1767 that they are not 
concerned because they say 'The latest PCRE1 release (8.38) came out in 
November, so there will not be another one for some months.'


Does anyone know if PCRE2 is a drop-in replacement for PCRE?

  -- Bruce

--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page





















					Reply via email to