Re: 4.0a3 - Two Regular Expression Libraries? -- We need your input!
- Posted by jeremy (admin) Mar 16, 2009
- 1226 views
^ That, I would like to see. I have seen exploits used as an example of why not to use PCRE several times, yet noone can show me an example of one of these 3 exploits. Where are they documented in detail?
CoJaBo, yes, they are. I do not store the security email's I get from Debian or FreeBSD. I address them on my system and then remove them. I am sure they are searchable online at debian's site. It's not at all out of the question that a buffer overrun can do this, it happens to thousands of products every single day. We have shown you on IRC some detailed explanations of this but none have went into such detail as reproducing code to exploit, thus you have denied their existence.
Buffer overruns are serious business and they exist in almost any C application, why is it so hard to believe? However, please do as I have said many times on IRC, search the debian security archives, it's there. They specifically have stated that a patch has been released for PCRE to prevent buffer overruns and execution of system commands. I get an email like this normally 1-2 times a week from Debian. Is it so hard to believe that it might have happened to pcre 3 times in the last year?
Jeremy
