PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

Please Update PCRE Library ( unsafe vulnerabilities )

https://www.purebasic.fr/english/viewtopic.php?t=74037

Page 1 of 1

Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Sun Nov 17, 2019 5:09 am
by Tristano
As of PB 5.71 LTS, the current version of PCRE used for the Regular Expressions library is PCRE v8.30 (2012-02-04), which is known to contain serious security vulnerabilities.

[ EDIT 2020/02/27Issue fixed: viewtopic.php?f=4&t=74685 ]

PRCE info obtained by running:

Code: Select all

ImportC ""
  pb_pcre_version(void);
EndImport

regex = CreateRegularExpression(#PB_Any, "")
pcre_version = pb_pcre_version(0)
Debug PeekS(pcre_version, -1, #PB_Ascii)
A serious vulnerability as been found in PCRE version 8.37 and prior, which could allow for the execution of arbitrary code, as reported by the Center for Internet Security (CIS):
A vulnerability has been discovered in the PCRE Library, which could allow for arbitrary code execution. This vulnerability occurs because the library fails to perform adequate boundary-checks on user-supplied data. When the library writes to the compile_regex function, it writes more than the allocated block size causing a heap buffer overflow.

Successful exploitation of this vulnerability through a specially crafted or vulnerable expression could trigger this issue, resulting in the execution of arbitrary code, in the context of the user running the application, with failed attempts triggering denial-of-service conditions.
These security issues have been know for years, and the PCRE library has been fixed accordingly in 2015 (PCRE 8.37), but PureBasic is still using PCRE v8.30, which dates back to 2012. Since the RegEx library is one of the frequently used PB components, I hope that it will be updated soon. Personally, I'd feel uncomfortable distributing applications using the RegEx library knowing of this security issue, and even more so if the application is being created for a paying client. Besides, these security issues have been known for years, so there are really no justifications for keeping using such an old version of PCRE.

The current PCRE library is lagging well behind the official upstream PCRE, which is currently at version 8.43 (2019-02-23), so a security update might also be a good occasion to benefit from new features and the many bug fixes since 2012.

https://www.pcre.org/original/changelog.txt

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Sun Nov 17, 2019 6:33 am
by Little John
Ooops! :shock:
+ 10 from me.

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Sun Nov 17, 2019 3:25 pm
by StarBootics
Little John wrote:Ooops! :shock:
+ 10 from me.
Indeed.

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Sun Nov 17, 2019 8:45 pm
by davido
+1

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Tue Nov 19, 2019 7:04 pm
by Sicro
+1

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Tue Nov 19, 2019 7:19 pm
by IdeasVacuum
+1

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Tue Nov 19, 2019 7:34 pm
by Mijikai
+1

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Sat Nov 23, 2019 10:52 am
by NicTheQuick
+1

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Wed Nov 27, 2019 3:14 pm
by marcoagpinto
+1

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Wed Feb 26, 2020 2:43 pm
by Sicro
Will apparently be done in the next PB version:

Re: Please Update PCRE Library ( unsafe vulnerabilities )

Posted: Wed Feb 26, 2020 5:38 pm
by Little John
Image
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited