patch for CVE-2008-2371

Michael Santos <>
Wed Feb 10 23:34:16 CET 2010


Running the following code will crash the emulator:

 re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]).

Erlang uses PCRE 7.6. This issue was identified as CVE-2008-2371 and
was fixed in PCRE 7.8.

A patch can be found here:

 git fetch git://github.com/msantos/otp.git pcre-CVE-2008-2371

It is taken directly from:

 http://vcs.pcre.org/viewvc?revision=360&view=revision

Does the Erlang/OTP team have a policy on security advisories, so users
and package maintainers can evaluate their risk?




More information about the erlang-patches mailing list