Debian Bug report logs -
#855405
pcre3: CVE-2017-6004
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 17 Feb 2017 14:36:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version pcre3/2:8.39-2
Fixed in version pcre3/2:8.39-2.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#855405; Package src:pcre3.
(Fri, 17 Feb 2017 14:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>.
(Fri, 17 Feb 2017 14:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Version: 2:8.39-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for pcre3. Filling this for
severity grave as RC, think it should be fixed in stretch. Thouch I'm
unsure and would tend to mark it as no-dsa for jessie (but need to
verify first that the source there is affected as well).
CVE-2017-6004[0]:
| The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE
| through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version)
| allows remote attackers to cause a denial of service (out-of-bounds
| read and application crash) via a crafted regular expression.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6004
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#855405; Package src:pcre3.
(Fri, 17 Feb 2017 15:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Fri, 17 Feb 2017 15:12:05 GMT) (full text, mbox, link).
Message #10 received at 855405@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi
Attached would be the proposed debdiff for a NMU in case needed (I
will use in any case a delayed queue if I upload).
Let me know if you would appreciate the NMU or prefer to do the upload
on your own if you agree.
Regards,
Salvatore
[pcre3_8.39-2.1.debdiff (text/plain, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 855405-submit@bugs.debian.org.
(Fri, 17 Feb 2017 15:12:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#855405; Package src:pcre3.
(Fri, 17 Feb 2017 20:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Vernon <matthew@debian.org>:
Extra info received and forwarded to list.
(Fri, 17 Feb 2017 20:09:02 GMT) (full text, mbox, link).
Message #17 received at 855405@bugs.debian.org (full text, mbox, reply):
Hi,
> Attached would be the proposed debdiff for a NMU in case needed (I
> will use in any case a delayed queue if I upload).
>
> Let me know if you would appreciate the NMU or prefer to do the upload
> on your own if you agree.
Thanks for this; given you've done the necessary work (that was quick!),
why don't you go ahead.
Regards,
Matthew
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#855405; Package src:pcre3.
(Fri, 17 Feb 2017 20:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Fri, 17 Feb 2017 20:18:04 GMT) (full text, mbox, link).
Message #22 received at 855405@bugs.debian.org (full text, mbox, reply):
Hi Matthew,
On Fri, Feb 17, 2017 at 07:29:44PM +0000, Matthew Vernon wrote:
> Hi,
>
> > Attached would be the proposed debdiff for a NMU in case needed (I
> > will use in any case a delayed queue if I upload).
> >
> > Let me know if you would appreciate the NMU or prefer to do the upload
> > on your own if you agree.
>
> Thanks for this; given you've done the necessary work (that was quick!), why
> don't you go ahead.
Thanks. I just have uploaded then my NMU (without delay).
Regards and thanks for your quick followup,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 17 Feb 2017 21:09:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 17 Feb 2017 21:09:11 GMT) (full text, mbox, link).
Message #27 received at 855405-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.39-2.1
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 855405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 17 Feb 2017 15:56:09 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: source
Version: 2:8.39-2.1
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 855405
Description:
libpcre16-3 - Old Perl 5 Compatible Regular Expression Library - 16 bit runtime
libpcre3 - Old Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Old Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Old Perl 5 Compatible Regular Expression Library - development fi
libpcre3-udeb - Old Perl 5 Compatible Regular Expression Library - runtime files (udeb)
libpcre32-3 - Old Perl 5 Compatible Regular Expression Library - 32 bit runtime
libpcrecpp0v5 - Old Perl 5 Compatible Regular Expression Library - C++ runtime fi
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.39-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* CVE-2017-6004: crafted regular expression may cause denial of service
(Closes: #855405)
Checksums-Sha1:
4d56aa8a256e907949cb604f92ce390e34da8d8a 2246 pcre3_8.39-2.1.dsc
45b871e703681f7d0e34095bde6599ae693670c3 24570 pcre3_8.39-2.1.debian.tar.gz
Checksums-Sha256:
2a9a8af830285b2f1311833f9a050ab77f69d29b7f33eb1e790aa2c97a018aea 2246 pcre3_8.39-2.1.dsc
9ca3b9c67a2aeee288dd5dec25416ffd297a73f0a00f993e7b30218cc6c14b49 24570 pcre3_8.39-2.1.debian.tar.gz
Files:
8f17c13924863636a5b9e539d69302ae 2246 libs optional pcre3_8.39-2.1.dsc
c25c097ba40b474f871fabcf0236613a 24570 libs optional pcre3_8.39-2.1.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlinWZhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EXrMP/1O7lnQ80oW99FrbWYqX9oEuSceAahpn
cvZ0rr/y5Us49MUmBT1F5OYB/75/DktJfJEvUuIOF7EIgRGHKmiRodqHAa8GFYWo
TRDlpjAwBiA9wjxSQFIQy94Hslox6dUp45Mwg+MGmPY5nfRrMpY0yYT3ORF3s+Nn
HO1JIbk7NCIE5TlamPnAcp81oa+xF3T6Gt95HfAPWu96hh7zjXULqT2iYMTcK+B+
buEKhkkijN1Go5DJppifN4g5uNZcMUwilr7gv7yYaquH5/ZaUoAu488UIMDVV/rx
Bm6oow044MZzqWqLrE0VgQ855gbqFgJPRdT7CPGFoBhylAaz4T9foB45KyPQZEJI
bbA/IMGKP6cc7rpORIHYE00m4PlfwTcN0WW9L2EHpcYrJnCsIN6NWECEvsmuFtNz
4oQQiW4HYVTZ1Hdo2hrrJU/8ohVfoEhrfucao4TcsQSVFJVWzSZKYBsu+duH9z+r
bYglzdzeqLlUenBW56R3947bujqJYDWdP9F5wel/jiQ/NkVj/n0y7tlV7OT/P/pX
E7sPSTf6TFZge5gibPTJ4o52ArMhiOTRthoCt/4K1CSMDZPwX5wgG1eyhqq1oGRa
4OStxiO1NBJ5i/sAZ/TTDYf/tLUZAGzp6Uwe0Zy8B9OIqcMr5YG95wPmu/kNnyho
ReyXPSESs/Re
=3ZEP
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 18 Mar 2017 07:25:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon