Buffer overflow in the PCRE regular expression library
A vulnerability in the Perl 5 Compatible Regular Expression Library (PCRE) may make it possible for attackers to execute arbitrary malicious code from programs that use the library. According to an entry in the Gentoo bug database, which initially reported the vulnerability, compilation of regular expressions with multiple branches into the bytecode can cause a buffer overflow on the heap. This usually results in the program crashing, but might also be used to inject malicious code.
The PCRE library is widely used in the open source world – it is used extensively in glibc, PHP, Apache, Postfix, Exim4 and the KDE desktop-environment, for instance. A necessary condition for exploiting the vulnerability, however, is that the application compiles regular expressions from user entries. The problem was discovered in PCRE 7.7, but older versions are likely affected as well. There is still no official update.
(trk)