It is currently Tue Mar 31, 2020 7:58 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Sun Nov 17, 2019 5:09 am 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Thu Nov 26, 2015 6:52 pm
Posts: 172
Location: Italy
As of PB 5.71 LTS, the current version of PCRE used for the Regular Expressions library is PCRE v8.30 (2012-02-04), which is known to contain serious security vulnerabilities.

[ EDIT 2020/02/27Issue fixed: viewtopic.php?f=4&t=74685 ]

PRCE info obtained by running:

Code:
ImportC ""
  pb_pcre_version(void);
EndImport

regex = CreateRegularExpression(#PB_Any, "")
pcre_version = pb_pcre_version(0)
Debug PeekS(pcre_version, -1, #PB_Ascii)


A serious vulnerability as been found in PCRE version 8.37 and prior, which could allow for the execution of arbitrary code, as reported by the Center for Internet Security (CIS):

Quote:
A vulnerability has been discovered in the PCRE Library, which could allow for arbitrary code execution. This vulnerability occurs because the library fails to perform adequate boundary-checks on user-supplied data. When the library writes to the compile_regex function, it writes more than the allocated block size causing a heap buffer overflow.

Successful exploitation of this vulnerability through a specially crafted or vulnerable expression could trigger this issue, resulting in the execution of arbitrary code, in the context of the user running the application, with failed attempts triggering denial-of-service conditions.


These security issues have been know for years, and the PCRE library has been fixed accordingly in 2015 (PCRE 8.37), but PureBasic is still using PCRE v8.30, which dates back to 2012. Since the RegEx library is one of the frequently used PB components, I hope that it will be updated soon. Personally, I'd feel uncomfortable distributing applications using the RegEx library knowing of this security issue, and even more so if the application is being created for a paying client. Besides, these security issues have been known for years, so there are really no justifications for keeping using such an old version of PCRE.

The current PCRE library is lagging well behind the official upstream PCRE, which is currently at version 8.43 (2019-02-23), so a security update might also be a good occasion to benefit from new features and the many bug fixes since 2012.

https://www.pcre.org/original/changelog.txt

_________________
The PureBASIC Archives:
FOSS Resources:


Last edited by Tristano on Thu Feb 27, 2020 2:29 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Sun Nov 17, 2019 6:33 am 
Offline
Addict
Addict

Joined: Thu Jun 07, 2007 3:25 pm
Posts: 3792
Location: Berlin, Germany
Ooops! :shock:
+ 10 from me.

_________________
Please excuse my flawed English. My native language is PureBasic.
Search
RSBasic's backups


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Sun Nov 17, 2019 3:25 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Jul 07, 2013 11:35 am
Posts: 455
Location: Canada
Little John wrote:
Ooops! :shock:
+ 10 from me.


Indeed.

_________________
The Stone Age did not end due to a shortage of stones !


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Sun Nov 17, 2019 8:45 pm 
Offline
Addict
Addict

Joined: Fri Nov 09, 2012 11:04 pm
Posts: 1750
Location: Uttoxeter, UK
+1

_________________
DE AA EB


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Tue Nov 19, 2019 7:04 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Wed Jun 25, 2014 5:25 pm
Posts: 407
Location: Germany
+1

_________________
Image
Why OpenSource should have a license
PureBasic-CodeArchiv-Rebirth: Git-Repository / Download – Any help is welcome!
Manjaro Xfce x64 (Main system) :: WindowsXP/Xubuntu x86 (VirtualBox) :: PureBasic (Linux: x86/x64, Windows: x86) :: All are up to date


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Tue Nov 19, 2019 7:19 pm 
Offline
Always Here
Always Here

Joined: Fri Oct 23, 2009 2:33 am
Posts: 6092
Location: Wales, UK
+1

_________________
IdeasVacuum
If it sounds simple, you have not grasped the complexity.


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Tue Nov 19, 2019 7:34 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Sep 11, 2016 2:17 pm
Posts: 638
+1


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Sat Nov 23, 2019 10:52 am 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Jun 22, 2003 7:43 pm
Posts: 488
Location: Germany, Saarbrücken
+1

_________________
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Wed Nov 27, 2019 3:14 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Mar 10, 2013 3:01 pm
Posts: 682
Location: Portugal
+1


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Wed Feb 26, 2020 2:43 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Wed Jun 25, 2014 5:25 pm
Posts: 407
Location: Germany
Will apparently be done in the next PB version:


_________________
Image
Why OpenSource should have a license
PureBasic-CodeArchiv-Rebirth: Git-Repository / Download – Any help is welcome!
Manjaro Xfce x64 (Main system) :: WindowsXP/Xubuntu x86 (VirtualBox) :: PureBasic (Linux: x86/x64, Windows: x86) :: All are up to date


Top
 Profile  
Reply with quote  
 Post subject: Re: Please Update PCRE Library ( unsafe vulnerabilities )
PostPosted: Wed Feb 26, 2020 5:38 pm 
Offline
Addict
Addict

Joined: Thu Jun 07, 2007 3:25 pm
Posts: 3792
Location: Berlin, Germany
Image

_________________
Please excuse my flawed English. My native language is PureBasic.
Search
RSBasic's backups


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

 


Powered by phpBB © 2008 phpBB Group
subSilver+ theme by Canver Software, sponsor Sanal Modifiye