Heap-based buffer overflow in PCRE - CVE-2016-1283
Published: January 3, 2016 / Updated: August 3, 2020
PCRE
PCRE
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'){97)?J)?J)(?'R'(?'R'){99|(:(?|(?'R')(k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which. A remote attacker can use a crafted regular expression to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
External links
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178193.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178955.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/79825
- http://www.securitytracker.com/id/1034555
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.343110
- https://access.redhat.com/errata/RHSA-2016:1132
- https://bto.bluecoat.com/security-advisory/sa128
- https://bugs.exim.org/show_bug.cgi?id=1767
- https://security.gentoo.org/glsa/201607-02
- https://www.tenable.com/security/tns-2016-18
- https://www.tenable.com/security/tns-2017-14