Wind River Support Network

HomeOther DownloadsSecurity Advisory - PCRE - CVE-2008-2371
Recommended Type: Patch

Security Advisory - PCRE - CVE-2008-2371

Released: Jul 1, 2008     Updated: Jul 1, 2008


For PCRE, when an option is specified at the start of a pattern, to
avoid compiling it unnecessarily into the bytecode it's passed back up
to the caller as if it was specified via pcre_compile() options, i.e.
/(?i)a|b/ == /a|b/i, and as the latter is somewhat easier to handle,
they're made equivalent. This usually works, but when a pattern
contains multiple branches, the new option is accidentally passed back
too far, so when there are multiple branches, only the first gets the
new flag, however on the second compile pass the new flag is always
set, resulting in a mismatch between the size-calculation pass and the
actual compilation pass. The result is pcre overflowing a heap buffer. IDENTIFIER = WIND00126076

Product Version

Linux Platforms 2.0, Linux Platforms 1.x


Installation Notes

Installation Notes for 1.4 for 1.5 for 2.0

1. Unzip the patch under [install_dir]/updates

2. Install the patch CD by entering the patch CD directory and run setup_linux.

3. This is a source only patch so you will have to build the kernel

4. Issue a make fs and make the kernel in a configured directory.

5. Upload the kernel and rootfs into the target and boot it up.

Live chat