[cvsnt] Re: Vulnerability in PCRE

Tony Hoyle tony.hoyle at march-hare.com
Mon Aug 22 15:30:51 BST 2005


Andreas Tscharner wrote:
> Hello,
> 
> http://www.securitytracker.com/alerts/2005/Aug/1014744.html
> 
> Does this affect CVSNT?
> 
Possibly (we use PCRE 5.0), but to trigger it you'd need write access to 
CVSROOT - ie. already have the ability to run arbitrary code on the 
server anyway.

On Unix builds the compile uses the libpcre on the system if it's 
available, so on those platforms it's up to the vendor.

On Windows it may not work anyway due to the heao overrun protection 
that visual studio adds.

The update looks nontrivial.. they've changed quite a bit.  It might 
have to wait until I'm back from my holidays in a week or so.

Tony



More information about the cvsnt mailing list