Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

pcre3: CVE-2015-5073: heap overflow vulnerability in find_fixedlength()

Related Vulnerabilities: CVE-2015-5073  

Source

Debian Bug report logs - #790000
pcre3: CVE-2015-5073: heap overflow vulnerability in find_fixedlength()

version graph

Package: src:pcre3; Maintainer for src:pcre3 is Matthew Vernon <matthew@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 26 Jun 2015 05:30:01 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version pcre3/1:8.30-5

Fixed in version pcre3/2:8.35-7

Done: Matthew Vernon <matthew@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#790000; Package src:pcre3. (Fri, 26 Jun 2015 05:30:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>. (Fri, 26 Jun 2015 05:30:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pcre3: heap overflow vulnerability in find_fixedlength()
Date: Fri, 26 Jun 2015 07:27:38 +0200
Source: pcre3
Version: 1:8.30-5
Severity: important
Tags: security upstream patch fixed-upstream

Hi

A new heap overflow vulnerability was found in pcre3, in
find_fixedlenght(). See:

https://bugs.exim.org/show_bug.cgi?id=1651
http://vcs.pcre.org/pcre?view=revision&revision=1571

A CVE has been requested at
http://www.openwall.com/lists/oss-security/2015/06/26/1

Regards,
Salvatore

Reply sent to Matthew Vernon <matthew@debian.org>:
You have taken responsibility. (Fri, 26 Jun 2015 07:51:08 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 26 Jun 2015 07:51:08 GMT) (full text, mbox, link).

Message #10 received at 790000-close@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@debian.org>
To: 790000-close@bugs.debian.org
Subject: Bug#790000: fixed in pcre3 2:8.35-7
Date: Fri, 26 Jun 2015 07:50:09 +0000
Source: pcre3
Source-Version: 2:8.35-7

We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 790000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthew Vernon <matthew@debian.org> (supplier of updated pcre3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Jun 2015 08:08:55 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: i386 source
Version: 2:8.35-7
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Matthew Vernon <matthew@debian.org>
Closes: 790000
Description: 
 libpcre16-3 - Perl 5 Compatible Regular Expression Library - 16 bit runtime fil
 libpcre32-3 - Perl 5 Compatible Regular Expression Library - 32 bit runtime fil
 libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
 libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
 libpcre3   - Perl 5 Compatible Regular Expression Library - runtime files
 libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
 libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
 pcregrep   - grep utility that uses perl 5 compatible regexes.
Changes: 
 pcre3 (2:8.35-7) unstable; urgency=medium
 .
   * Apply upstream patch to fix buffer overflow for forward reference
     within backward assertion with excess closing parenthesis
     (Closes: #790000)
Checksums-Sha1: 
 96f4955a54a67092bd9351983678a53423d60541 2058 pcre3_8.35-7.dsc
 c777fa9600fd448d05c27cb5a4fd729ab6a6b0da 22071 pcre3_8.35-7.debian.tar.gz
 4f20b8d5bea16bb03bed32a39ff70a9cdb4744fa 241420 libpcre16-3_8.35-7_i386.deb
 f124077df209ca6046db8aab10a4d9624a6f937e 742300 libpcre3-dbg_8.35-7_i386.deb
 fe36611abd9d5bc921ce4b4a310476235af52d75 624570 libpcre3-dev_8.35-7_i386.deb
 c3549c2ad4fe98fc3cb72cbcd941a82af2957c2e 146660 libpcre3-udeb_8.35-7_i386.udeb
 28df0ab8be33098fddbda8d892916e3d50b2fdfa 233578 libpcre32-3_8.35-7_i386.deb
 bad5e03cd2ea593ea51e303f6b0740d944817a8a 318640 libpcre3_8.35-7_i386.deb
 0cb215377d60d808a8cff59874bbd8b909ea4daa 141750 libpcrecpp0_8.35-7_i386.deb
 cb00cdcbf583430398d0f928f825f750f075e1ee 26970 pcregrep_8.35-7_i386.deb
Checksums-Sha256: 
 c8d84556756c49371b5da0ee16f13df5b003a742bb618598868e59beb39d2cfe 2058 pcre3_8.35-7.dsc
 f47f4d903d4b2f54da0895c51d5dc1dd9f48d950be8bbc3315538d6b82ba9168 22071 pcre3_8.35-7.debian.tar.gz
 bf38b0e4cbb7234c4b1b8153526fe9c5e4c0b0ae6b21ddf295b320776649feb9 241420 libpcre16-3_8.35-7_i386.deb
 4b097efaf84a13e0568d7b67698e9589a807cf47d7f91c9ffe2cb80633805f11 742300 libpcre3-dbg_8.35-7_i386.deb
 d2e3935871e8c33c7932fdc8750079dc5e6124f9f1633017270b8827626b0fdd 624570 libpcre3-dev_8.35-7_i386.deb
 348511b3e6324e7a2c38a838e21c7283301f4400f380ffc71a8d670a2d1dc4da 146660 libpcre3-udeb_8.35-7_i386.udeb
 f82311d8bf4d64e5834f1e127c7cecc98c541e586eb7fcae58bd6301bb8e1825 233578 libpcre32-3_8.35-7_i386.deb
 50e2259ad68a1b4035ef4e8f0973039cb413855de6e949b90ace3177290b5015 318640 libpcre3_8.35-7_i386.deb
 fbc2e7811ab45872c2c9f94b3c5b0bda06c0a6465cd51172d75d7aa568720b29 141750 libpcrecpp0_8.35-7_i386.deb
 8ba85464f6993cf774f8417b4ed5f8382453ee281fe731653ecf73806f0a32cb 26970 pcregrep_8.35-7_i386.deb
Files: 
 77ee20a1c64b907754b6a9078fa4ba31 2058 libs optional pcre3_8.35-7.dsc
 8022c1bf8800f27841e40acd4d0c7b7a 22071 libs optional pcre3_8.35-7.debian.tar.gz
 02cfc3fa77622ddc1de3525bc9ca73f6 241420 libs optional libpcre16-3_8.35-7_i386.deb
 0c242ea0cb08dac7744b09c10c297fb6 742300 debug extra libpcre3-dbg_8.35-7_i386.deb
 5e49f09a4a1c3a71193dada91ce116b5 624570 libdevel optional libpcre3-dev_8.35-7_i386.deb
 6ef28ee0083634cdcd47141889e92dc9 146660 debian-installer important libpcre3-udeb_8.35-7_i386.udeb
 e4ce4ed7ace77c8c9e1daa4c35d1bb4f 233578 libs optional libpcre32-3_8.35-7_i386.deb
 01516c7ecd3250c9333b9f5bfa80bd1b 318640 libs important libpcre3_8.35-7_i386.deb
 4a880a88b5f7436c29b2eb2acd08ae8c 141750 libs optional libpcrecpp0_8.35-7_i386.deb
 9c6fb218d233fc54048a45948d8bab2f 26970 utils optional pcregrep_8.35-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJVjQHkAAoJEBL00hyPamPI1kwQAJNnfk/acv38NSB4Gm8LhKSA
Nrt/RjPehaU3YNbJjXgLh/aBHXpQyN39SqPlIiIIRuBw0fJ4AGaBTHaKwrieY30Y
/2rrm7ezEEiIkSx4kksfVKp0uAXRY9R/oylRZKJ7YCkEUtH2zpEr7j6NtAz9GD24
WF8OedQAq2bFAamj6dWVBug8dTGhZsVg3hCj+pT8zNrwDZvmbGkVBVA6cfhfMT+E
HogMOPGbZQxchOGzw9+H5C3kxLX9Nm4BaEM+SaJJm4L3SLGnzCApGRqgZyCl9M+4
ZJZ0tabvZrSL/zknUaGZIw46i0aTNOiTjI3FgSEHISja2nQaGc0j52/S3u/CVr9q
w13Ttt9iLtVsVPl+YB+b7YrWayK3PxMbgaDsE3GJTYf7UPzZ7GtzEpMCZpxZnT7b
sZ95wVeXf5xaa6q43Y/trEe4Urv5l3QvWBNdwNKd9ck8v9XCYASTAjKQNXu6h4lb
U61vSXj9tzwb4NFGrRe9t5DUhaOrVrnkp3qoZl5H7jGb/0B/7Uge82GTtcDgoPa0
h5V1afJ4pyFPSilCCS9q4/pjyff+tj03vWDteyD0Kfi5RM10iqlyxTtZAf+0uD42
9UT78kUrookt+tCetVeprOIaCnfqdrb8SAoEImcXr59HNz4VGARIPLNUtN1fAZWp
MBHPGM01WQJgi9Mr6og5
=qA9i
-----END PGP SIGNATURE-----

Changed Bug title to 'pcre3: CVE-2015-5073: heap overflow vulnerability in find_fixedlength()' from 'pcre3: heap overflow vulnerability in find_fixedlength()' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 26 Jun 2015 12:30:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 29 Jul 2015 07:25:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:08:21 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started