Debian Bug report logs -
#790000
pcre3: CVE-2015-5073: heap overflow vulnerability in find_fixedlength()
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 26 Jun 2015 05:30:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version pcre3/1:8.30-5
Fixed in version pcre3/2:8.35-7
Done: Matthew Vernon <matthew@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#790000
; Package src:pcre3
.
(Fri, 26 Jun 2015 05:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>
.
(Fri, 26 Jun 2015 05:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Version: 1:8.30-5
Severity: important
Tags: security upstream patch fixed-upstream
Hi
A new heap overflow vulnerability was found in pcre3, in
find_fixedlenght(). See:
https://bugs.exim.org/show_bug.cgi?id=1651
http://vcs.pcre.org/pcre?view=revision&revision=1571
A CVE has been requested at
http://www.openwall.com/lists/oss-security/2015/06/26/1
Regards,
Salvatore
Reply sent
to Matthew Vernon <matthew@debian.org>
:
You have taken responsibility.
(Fri, 26 Jun 2015 07:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 26 Jun 2015 07:51:08 GMT) (full text, mbox, link).
Message #10 received at 790000-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.35-7
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 790000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthew Vernon <matthew@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Jun 2015 08:08:55 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: i386 source
Version: 2:8.35-7
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Matthew Vernon <matthew@debian.org>
Closes: 790000
Description:
libpcre16-3 - Perl 5 Compatible Regular Expression Library - 16 bit runtime fil
libpcre32-3 - Perl 5 Compatible Regular Expression Library - 32 bit runtime fil
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.35-7) unstable; urgency=medium
.
* Apply upstream patch to fix buffer overflow for forward reference
within backward assertion with excess closing parenthesis
(Closes: #790000)
Checksums-Sha1:
96f4955a54a67092bd9351983678a53423d60541 2058 pcre3_8.35-7.dsc
c777fa9600fd448d05c27cb5a4fd729ab6a6b0da 22071 pcre3_8.35-7.debian.tar.gz
4f20b8d5bea16bb03bed32a39ff70a9cdb4744fa 241420 libpcre16-3_8.35-7_i386.deb
f124077df209ca6046db8aab10a4d9624a6f937e 742300 libpcre3-dbg_8.35-7_i386.deb
fe36611abd9d5bc921ce4b4a310476235af52d75 624570 libpcre3-dev_8.35-7_i386.deb
c3549c2ad4fe98fc3cb72cbcd941a82af2957c2e 146660 libpcre3-udeb_8.35-7_i386.udeb
28df0ab8be33098fddbda8d892916e3d50b2fdfa 233578 libpcre32-3_8.35-7_i386.deb
bad5e03cd2ea593ea51e303f6b0740d944817a8a 318640 libpcre3_8.35-7_i386.deb
0cb215377d60d808a8cff59874bbd8b909ea4daa 141750 libpcrecpp0_8.35-7_i386.deb
cb00cdcbf583430398d0f928f825f750f075e1ee 26970 pcregrep_8.35-7_i386.deb
Checksums-Sha256:
c8d84556756c49371b5da0ee16f13df5b003a742bb618598868e59beb39d2cfe 2058 pcre3_8.35-7.dsc
f47f4d903d4b2f54da0895c51d5dc1dd9f48d950be8bbc3315538d6b82ba9168 22071 pcre3_8.35-7.debian.tar.gz
bf38b0e4cbb7234c4b1b8153526fe9c5e4c0b0ae6b21ddf295b320776649feb9 241420 libpcre16-3_8.35-7_i386.deb
4b097efaf84a13e0568d7b67698e9589a807cf47d7f91c9ffe2cb80633805f11 742300 libpcre3-dbg_8.35-7_i386.deb
d2e3935871e8c33c7932fdc8750079dc5e6124f9f1633017270b8827626b0fdd 624570 libpcre3-dev_8.35-7_i386.deb
348511b3e6324e7a2c38a838e21c7283301f4400f380ffc71a8d670a2d1dc4da 146660 libpcre3-udeb_8.35-7_i386.udeb
f82311d8bf4d64e5834f1e127c7cecc98c541e586eb7fcae58bd6301bb8e1825 233578 libpcre32-3_8.35-7_i386.deb
50e2259ad68a1b4035ef4e8f0973039cb413855de6e949b90ace3177290b5015 318640 libpcre3_8.35-7_i386.deb
fbc2e7811ab45872c2c9f94b3c5b0bda06c0a6465cd51172d75d7aa568720b29 141750 libpcrecpp0_8.35-7_i386.deb
8ba85464f6993cf774f8417b4ed5f8382453ee281fe731653ecf73806f0a32cb 26970 pcregrep_8.35-7_i386.deb
Files:
77ee20a1c64b907754b6a9078fa4ba31 2058 libs optional pcre3_8.35-7.dsc
8022c1bf8800f27841e40acd4d0c7b7a 22071 libs optional pcre3_8.35-7.debian.tar.gz
02cfc3fa77622ddc1de3525bc9ca73f6 241420 libs optional libpcre16-3_8.35-7_i386.deb
0c242ea0cb08dac7744b09c10c297fb6 742300 debug extra libpcre3-dbg_8.35-7_i386.deb
5e49f09a4a1c3a71193dada91ce116b5 624570 libdevel optional libpcre3-dev_8.35-7_i386.deb
6ef28ee0083634cdcd47141889e92dc9 146660 debian-installer important libpcre3-udeb_8.35-7_i386.udeb
e4ce4ed7ace77c8c9e1daa4c35d1bb4f 233578 libs optional libpcre32-3_8.35-7_i386.deb
01516c7ecd3250c9333b9f5bfa80bd1b 318640 libs important libpcre3_8.35-7_i386.deb
4a880a88b5f7436c29b2eb2acd08ae8c 141750 libs optional libpcrecpp0_8.35-7_i386.deb
9c6fb218d233fc54048a45948d8bab2f 26970 utils optional pcregrep_8.35-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJVjQHkAAoJEBL00hyPamPI1kwQAJNnfk/acv38NSB4Gm8LhKSA
Nrt/RjPehaU3YNbJjXgLh/aBHXpQyN39SqPlIiIIRuBw0fJ4AGaBTHaKwrieY30Y
/2rrm7ezEEiIkSx4kksfVKp0uAXRY9R/oylRZKJ7YCkEUtH2zpEr7j6NtAz9GD24
WF8OedQAq2bFAamj6dWVBug8dTGhZsVg3hCj+pT8zNrwDZvmbGkVBVA6cfhfMT+E
HogMOPGbZQxchOGzw9+H5C3kxLX9Nm4BaEM+SaJJm4L3SLGnzCApGRqgZyCl9M+4
ZJZ0tabvZrSL/zknUaGZIw46i0aTNOiTjI3FgSEHISja2nQaGc0j52/S3u/CVr9q
w13Ttt9iLtVsVPl+YB+b7YrWayK3PxMbgaDsE3GJTYf7UPzZ7GtzEpMCZpxZnT7b
sZ95wVeXf5xaa6q43Y/trEe4Urv5l3QvWBNdwNKd9ck8v9XCYASTAjKQNXu6h4lb
U61vSXj9tzwb4NFGrRe9t5DUhaOrVrnkp3qoZl5H7jGb/0B/7Uge82GTtcDgoPa0
h5V1afJ4pyFPSilCCS9q4/pjyff+tj03vWDteyD0Kfi5RM10iqlyxTtZAf+0uD42
9UT78kUrookt+tCetVeprOIaCnfqdrb8SAoEImcXr59HNz4VGARIPLNUtN1fAZWp
MBHPGM01WQJgi9Mr6og5
=qA9i
-----END PGP SIGNATURE-----
Changed Bug title to 'pcre3: CVE-2015-5073: heap overflow vulnerability in find_fixedlength()' from 'pcre3: heap overflow vulnerability in find_fixedlength()'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 26 Jun 2015 12:30:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 29 Jul 2015 07:25:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:08:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.