[erlang-patches] patch for CVE-2008-2371

Kenneth Lundin <>
Fri Feb 12 08:37:14 CET 2010

> Does the Erlang/OTP team have a policy on security advisories, so users
> and package maintainers can evaluate their risk?
Thanks for the patch.

I don't really understand what you mean with "policy on security
advisories". Please explain more
I really want to learn if we have missed something important.

This was a bug in the pcre package that we use for the re module in Erlang.

As Erlang/OTP is a development system the users can build any type of
system with it.
And it is the users built system that might be exposed for security
issues. We cannot make Erlang/OTP
in a way that guarantee that the system build by the user with
erlang7OTP does not have security issues
or can crash on certain input etc.

Of course it is a very bad idea to let the external user to a system
freely create regular expressions
which are used directly as parameters to the re:compile function. And
that is true even if there is no bug
in pcre. A complex regexp can for sure break the system anyway by
consuming memory or by taking
very long time to compile or use in searches.

/Kenneth Erlang/OTP Ericsson

More information about the erlang-patches mailing list