[ EDIT 2020/02/27 — Issue fixed: viewtopic.php?f=4&t=74685 ]
PRCE info obtained by running:
Code: Select all
ImportC ""
pb_pcre_version(void);
EndImport
regex = CreateRegularExpression(#PB_Any, "")
pcre_version = pb_pcre_version(0)
Debug PeekS(pcre_version, -1, #PB_Ascii)These security issues have been know for years, and the PCRE library has been fixed accordingly in 2015 (PCRE 8.37), but PureBasic is still using PCRE v8.30, which dates back to 2012. Since the RegEx library is one of the frequently used PB components, I hope that it will be updated soon. Personally, I'd feel uncomfortable distributing applications using the RegEx library knowing of this security issue, and even more so if the application is being created for a paying client. Besides, these security issues have been known for years, so there are really no justifications for keeping using such an old version of PCRE.A vulnerability has been discovered in the PCRE Library, which could allow for arbitrary code execution. This vulnerability occurs because the library fails to perform adequate boundary-checks on user-supplied data. When the library writes to the compile_regex function, it writes more than the allocated block size causing a heap buffer overflow.
Successful exploitation of this vulnerability through a specially crafted or vulnerable expression could trigger this issue, resulting in the execution of arbitrary code, in the context of the user running the application, with failed attempts triggering denial-of-service conditions.
The current PCRE library is lagging well behind the official upstream PCRE, which is currently at version 8.43 (2019-02-23), so a security update might also be a good occasion to benefit from new features and the many bug fixes since 2012.
https://www.pcre.org/original/changelog.txt
