On Mon, Aug 03, 2020 at 11:16:40AM +0200, Thomas Klausner via Pcre-dev wrote: > Hi! > > In 2017 there was a CVE assigned against pcre 8.41: > > https://www.openwall.com/lists/oss-security/2017/07/11/3 > > > In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c > > allows stack exhaustion (uncontrolled recursion) when processing a crafted > > regular expression. > > I read the Changelogs and the commit messages for the file mentioned, > but I couldn't clearly see if this is fixed or not. Does someone know?
A stack exhaustion in PCRE that uses a recursion-based algorithm is not a bug and it was not fixed in any way. Please read pcrestack(3) manual page for more details includnig possible mitigations. -- Petr
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
