The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability alert CVE-2007-1659 CVE-2007-1660 CVE-2007-1661

Perl, PCRE: vulnerabilities of regular expressions

Synthesis of the vulnerability

When attacker can change the regular expression used by a program, he can corrupt its memory in order for example to execute code.
Impacted products: Debian, Fedora, Tru64 UNIX, AIX, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, Perl Core, PHP, RHEL, Snort, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity of this bulletin: 2/4.
Consequences of an intrusion: user access/rights, denial of service on service.
Hacker's origin: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 05/11/2007.
Revision date: 06/11/2007.
Références of this threat: 231524, 315871, 315881, 323571, 6629836, BID-26346, BID-26350, c01362465, CERTA-2007-AVI-481, CERTA-2008-AVI-053, CERTA-2008-AVI-239, CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-5116, DSA-1399-1, DSA-1400-1, DSA-1570-1, FEDORA-2007-2944, FEDORA-2007-3255, FEDORA-2007-748, HPSBTU02311, IZ10220, IZ10244, IZ10245, MDKSA-2007:207, MDKSA-2007:211, MDKSA-2007:212, MDKSA-2007:213, RHSA-2007:0966-01, RHSA-2007:0967-01, RHSA-2007:0968-01, RHSA-2007:1011-01, RHSA-2007:1063-01, RHSA-2007:1065-01, RHSA-2007:1068-01, RHSA-2007:1126-01, RHSA-2008:0546-01, RHSA-2010:0602-02, SSRT080001, SUSE-SA:2007:062, SUSE-SA:2008:004, SUSE-SR:2007:024, SUSE-SR:2007:025, VIGILANCE-VUL-7311, VMSA-2008-0001, VMSA-2008-0001.1, VMSA-2008-0007, VMSA-2008-0007.1, VMSA-2008-0007.2.

Description of the vulnerability

The PCRE library implements Perl compatible regular expressions (opposed to POSIX). Several vulnerabilities affect this type of regular expressions.

A Perl regular expression can contain "\L...\E" to convert to lowercase, "\U...\E" to convert to uppercase and "\Q...\E" to disable metacharacters. However, the "\Q...\E" case is not correctly handled, which desynchronizes the regular expression engine and corrupts its memory. [severity:2/4; 315871, BID-26346, CVE-2007-1659]

The "[...]" brackets define character classes. In some cases, the memory allocated to store them is too short, which corrupts memory. [severity:2/4; 315881, BID-26346, CVE-2007-1660]

The "\X" sequence matches extended Unicode characters. The "\pL" sequences matches lowercases. The "\d" sequence matches integers. By combining these sequences in non UTF-8, an attacker can read memory. [severity:2/4; BID-26346, CVE-2007-1661]

Several functions can read past the end of string searching for parentheses or brackets. [severity:2/4; BID-26346, CVE-2007-1662]

Several integer overflows can occur during the handling of escape sequences. [severity:2/4; BID-26346, CVE-2007-4766]

The "\PX" or "\P{X}" sequence matches the property X. Several infinite loops and overflows occur during the handling of these sequences. [severity:2/4; BID-26346, CVE-2007-4767]

When string contains a unique Unicode sequence, an optimization is incorrectly done and leads to an overflow. [severity:2/4; BID-26346, CERTA-2008-AVI-053, CVE-2007-4768]

The Perl regular expression compiler uses two phases: the first one to compute the necessary size and the second to store data. However, by using Unicode characters, an attacker can store longer data. [severity:2/4; 323571, BID-26350, CERTA-2007-AVI-481, CVE-2007-5116]

When attacker can change the regular expression used by a program, he can thus corrupt its memory in order for example to execute code. In some cases, he can also read memory contents or create a denial of service.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides application vulnerability analysis. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The technology watch team tracks security threats targeting the computer system.