I believe this is a duplicate the many other bugs in PCRE; basically
that it's possible to get stack overflows with certain regexes.
It's not a major security problem, in that I don't think you can get
arbitrary code execution by a stack overflow. It could possibly allow
DoS attacks in some cases.
There are a couple of compile time options for PCRE that can ameliorate
the problem. One allows a maximum recursion depth to be set, which
avoids seg faults (so long as the stack space is large enough) but
limits the regexes that can be used. The other stops it using recursion
in this way, instead allocating memory on the heap to store state that
would be on the stack in a recursive call.
I am thinking of using the latter option in the next version.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
