pcre3 (1:8.31-2ubuntu2.2) trusty-security; urgency=medium
* SECURITY UPDATE: fix multiple security issues by applying patches
from Debian jessie package:
- 0001-Fix-overflow-when-ovector-has-size-1.patch
- 794589-information-disclosure.patch
- 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch
- 0001-Add-integer-overflow-check-to-n-code.patch
- 0001-Fix-bug-for-classes-containing-sequences.patch
- 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch
- 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch
- 0001-Add-missing-integer-overflow-checks.patch
- 0001-Fix-compile-time-loop-for-recursive-reference-within.patch
- 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch
- CVE-2015-2328, CVE-2015-8380, CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, CVE-2015-8391,
CVE-2015-8393, CVE-2015-8394
* SECURITY UPDATE: denial of service via pattern containing (*ACCEPT)
substring with nested parantheses
- debian/patches/apply-upstream-revision-1631-closes-8159: fix
workspace overflow for (*ACCEPT) with deeply nested parentheses in
pcreposix.c, pcre_compile.c, pcre_internal.h, add tests to
testdata/testoutput11-8, testdata/testoutput11-16,
testdata/testinput11.
- CVE-2016-3191
* debian/rules: set make check to verbose.
-- Marc Deslauriers <email address hidden> Fri, 25 Mar 2016 07:55:28 -0400
|
CVE-2015-2328 |
PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denia |
CVE-2015-8380 |
The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \01 string, which allows remote attackers to cause a denial |
CVE-2015-8382 |
The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ patte |
CVE-2015-8385 |
PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to |
CVE-2015-8386 |
PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a den |
CVE-2015-8387 |
PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer |
CVE-2015-8390 |
PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized |
CVE-2015-8391 |
The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of ser |
CVE-2015-8393 |
pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a craf |
CVE-2015-8394 |
PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overfl |
CVE-2016-3191 |
The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*A |
|