[3.7] pcre: match() stack overflow (CVE-2017-16231) (#8139) · Issues · alpine / aports

[3.7] pcre: match() stack overflow (CVE-2017-16231)

In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow
in the function match() in pcre_exec.c because of a self-recursive call.

References:

http://openwall.com/lists/oss-security/2017/11/01/3
http://seclists.org/oss-sec/2017/q4/164

(from redmine: issue id 8139, created on 2017-11-14, closed on 2017-12-07)

Relations:
- parent #8138 (closed)
Changesets:
- Revision 62cf5b82 by Natanael Copa on 2017-12-04T09:00:29Z:

main/pcre: add secfixes comment for CVE-2017-16231

We are not affected by CVE-2017-16231 due to our build with
--with-match-limit-recursion=8192. We had this option since first
commit, version 7.8, and were never affected.

fixes #8139

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information