[erlang-patches] patch for CVE-2008-2371

Björn Gustavsson bgustavsson@REDACTED
Thu Feb 11 08:14:48 CET 2010


On Wed, Feb 10, 2010 at 11:34 PM, Michael Santos
<michael.santos@REDACTED> wrote:
>
> Running the following code will crash the emulator:
>
>  re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]).
>
> Erlang uses PCRE 7.6. This issue was identified as CVE-2008-2371 and
> was fixed in PCRE 7.8.
>
> A patch can be found here:
>
>  git fetch git://github.com/msantos/otp.git pcre-CVE-2008-2371
>

Thanks! Will include in pu.

I amended your commit to include the following test case:

diff --git a/lib/stdlib/test/re_SUITE.erl b/lib/stdlib/test/re_SUITE.erl
index fa50ba3..02683f9 100644
--- a/lib/stdlib/test/re_SUITE.erl
+++ b/lib/stdlib/test/re_SUITE.erl
@@ -18,12 +18,12 @@
 %%
 -module(re_SUITE).

--export([all/1,
pcre/1,compile_options/1,run_options/1,combined_options/1,replace_autogen/1,global_capture/1,replace_input_types
+-export([all/1,
pcre/1,compile_options/1,run_options/1,combined_options/1,replace_autogen/1,global_capture/1,replace_input_types

 -include("test_server.hrl").
 -include_lib("kernel/include/file.hrl").

-all(suite) -> [pcre,compile_options,run_options,combined_options,replace_autogen,global_capture,replace_input_types,replace_retu
+all(suite) -> [pcre,compile_options,run_options,combined_options,replace_autogen,global_capture,replace_input_types,replace_retu

 pcre(doc) ->
     ["Run all applicable tests from the PCRE testsuites."];
@@ -538,3 +538,9 @@ error_handling(Config) when is_list(Config) ->
     ?t:timetrap_cancel(Dog),
     ok.

+pcre_cve_2008_2371(doc) ->
+    "Fix as in http://vcs.pcre.org/viewvc?revision=360&view=revision";
+pcre_cve_2008_2371(Config) when is_list(Config) ->
+    %% Make sure it doesn't crash the emulator.
+    re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]),
+    ok.

> Does the Erlang/OTP team have a policy on security advisories, so users
> and package maintainers can evaluate their risk?

I don't really understand that question, so I assume that the answer is no.

-- 
Björn Gustavsson, Erlang/OTP, Ericsson AB


More information about the erlang-patches mailing list