[erlang-patches] patch for CVE-2008-2371
Björn Gustavsson
bgustavsson@REDACTED
Thu Feb 11 08:14:48 CET 2010
On Wed, Feb 10, 2010 at 11:34 PM, Michael Santos
<michael.santos@REDACTED> wrote:
>
> Running the following code will crash the emulator:
>
> re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]).
>
> Erlang uses PCRE 7.6. This issue was identified as CVE-2008-2371 and
> was fixed in PCRE 7.8.
>
> A patch can be found here:
>
> git fetch git://github.com/msantos/otp.git pcre-CVE-2008-2371
>
Thanks! Will include in pu.
I amended your commit to include the following test case:
diff --git a/lib/stdlib/test/re_SUITE.erl b/lib/stdlib/test/re_SUITE.erl
index fa50ba3..02683f9 100644
--- a/lib/stdlib/test/re_SUITE.erl
+++ b/lib/stdlib/test/re_SUITE.erl
@@ -18,12 +18,12 @@
%%
-module(re_SUITE).
--export([all/1,
pcre/1,compile_options/1,run_options/1,combined_options/1,replace_autogen/1,global_capture/1,replace_input_types
+-export([all/1,
pcre/1,compile_options/1,run_options/1,combined_options/1,replace_autogen/1,global_capture/1,replace_input_types
-include("test_server.hrl").
-include_lib("kernel/include/file.hrl").
-all(suite) -> [pcre,compile_options,run_options,combined_options,replace_autogen,global_capture,replace_input_types,replace_retu
+all(suite) -> [pcre,compile_options,run_options,combined_options,replace_autogen,global_capture,replace_input_types,replace_retu
pcre(doc) ->
["Run all applicable tests from the PCRE testsuites."];
@@ -538,3 +538,9 @@ error_handling(Config) when is_list(Config) ->
?t:timetrap_cancel(Dog),
ok.
+pcre_cve_2008_2371(doc) ->
+ "Fix as in http://vcs.pcre.org/viewvc?revision=360&view=revision";
+pcre_cve_2008_2371(Config) when is_list(Config) ->
+ %% Make sure it doesn't crash the emulator.
+ re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]),
+ ok.
> Does the Erlang/OTP team have a policy on security advisories, so users
> and package maintainers can evaluate their risk?
I don't really understand that question, so I assume that the answer is no.
--
Björn Gustavsson, Erlang/OTP, Ericsson AB
More information about the erlang-patches
mailing list