Debian Bug report logs -
#770478
pcre3: CVE-2014-8964: heap buffer overflow
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 21 Nov 2014 15:39:07 UTC
Severity: important
Tags: patch, security, upstream
Found in versions pcre3/2:8.35-3.2, pcre3/1:8.30-1, pcre3/1:8.35-3
Fixed in versions pcre3/1:8.36-1, pcre3/2:8.35-3.3
Done: Ivo De Decker <ivodd@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#770478; Package src:pcre3.
(Fri, 21 Nov 2014 15:39:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mark Baker <mark@mnb.org.uk>.
(Fri, 21 Nov 2014 15:39:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Version: 1:8.35-3
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for pcre3.
CVE-2014-8964[0]:
pcre: heap buffer overflow
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8964
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1166147
[2] http://bugs.exim.org/show_bug.cgi?id=1546
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Mark Baker <mark@mnb.org.uk>:
You have taken responsibility.
(Mon, 24 Nov 2014 23:51:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 24 Nov 2014 23:51:13 GMT) (full text, mbox, link).
Message #10 received at 770478-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 1:8.36-1
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Baker <mark@mnb.org.uk> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 24 Nov 2014 22:41:12 +0000
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source amd64
Version: 1:8.36-1
Distribution: unstable
Urgency: medium
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Mark Baker <mark@mnb.org.uk>
Description:
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Closes: 767903 770478
Changes:
pcre3 (1:8.36-1) unstable; urgency=medium
.
* New upstream release
* Upped shlibs dependency to 8.35 (Closes: #767903)
* Upstream patch for heap buffer overflow, CVE-2014-8964 (Closes: #770478)
Checksums-Sha1:
91ad676818070411883ebfbd56f73a45482bcced 1262 pcre3_8.36-1.dsc
9a074e9cbf3eb9f05213fd9ca5bc188644845ccc 1533818 pcre3_8.36.orig.tar.bz2
5ad4309642f66890d11f4d0b8b7f3b6a2bbc2beb 19579 pcre3_8.36-1.debian.tar.gz
c67547cdd54937ae678cda2c04a30ad3ea0a4c72 339516 libpcre3_8.36-1_amd64.deb
b559c4ee082b79587fd52cee6b62725c340bb4e6 142586 libpcre3-udeb_8.36-1_amd64.udeb
385ee0ffdbd885680d1593ad3a6c7ab7f30e0ffd 144280 libpcrecpp0_8.36-1_amd64.deb
b121b662ebab98b726aa055ce8b98be5a3ab6a47 481500 libpcre3-dev_8.36-1_amd64.deb
904c0c6c748b150a6be0bbc18a3b6e393a994b22 493198 libpcre3-dbg_8.36-1_amd64.deb
b3d2aee8a6826efdab1310e7c5d52c7a5a7245c8 29926 pcregrep_8.36-1_amd64.deb
Checksums-Sha256:
9ca0041daf89a21a4a54c7ac808372f157579a0ee3645122607f1cda69273144 1262 pcre3_8.36-1.dsc
ef833457de0c40e82f573e34528f43a751ff20257ad0e86d272ed5637eb845bb 1533818 pcre3_8.36.orig.tar.bz2
7b589a2bb04b537c40b0e78b1112d0b80ea8228b060f7ee176a296307bc37d2c 19579 pcre3_8.36-1.debian.tar.gz
6df6bfd83d58e89dd5c5b8fb695c98a0c532f7ba11a0e398e2b848de5bceb33f 339516 libpcre3_8.36-1_amd64.deb
1a7b1bd757d6c7c18799069b0a0f6090164b6e3e2175087396baa3428f5b1475 142586 libpcre3-udeb_8.36-1_amd64.udeb
693cb11c53877e4194f936256a63849c3e1d958d8fcb4afc1db5e3f37a3a03eb 144280 libpcrecpp0_8.36-1_amd64.deb
d8dbcbe561e4ff2e2d92c3f642c37f7437c1e255f386ecbe2b1a737de9993673 481500 libpcre3-dev_8.36-1_amd64.deb
e0f9a65a1de9d0f9d4a7262b878b56521091742b4919e4f9649bde0436ffa6e3 493198 libpcre3-dbg_8.36-1_amd64.deb
7a345a0b7cb3bd6127b4c5e23764b7348c25f9776d22ada5e9c27f39f5d8261f 29926 pcregrep_8.36-1_amd64.deb
Files:
8c8b3282b4d016df76215d33b1f0965b 1262 libs optional pcre3_8.36-1.dsc
b767bc9af0c20bc9c1fe403b0d41ad97 1533818 libs optional pcre3_8.36.orig.tar.bz2
35c7ef9851656240382e9d495df84b92 19579 libs optional pcre3_8.36-1.debian.tar.gz
508330ccfeb366cb93a6f5d86df94e84 339516 libs important libpcre3_8.36-1_amd64.deb
414c9827ac9565dc2adfe7d42155db19 142586 debian-installer important libpcre3-udeb_8.36-1_amd64.udeb
4a906e4ce36a12ec9b07703ae33d3add 144280 libs optional libpcrecpp0_8.36-1_amd64.deb
549c0ef016cff7061226ec72140b51b9 481500 libdevel optional libpcre3-dev_8.36-1_amd64.deb
81da9b64e506a299a7fd201e7369c9b2 493198 debug extra libpcre3-dbg_8.36-1_amd64.deb
4a1ea20518bf7c8007cfbc865eff5ae8 29926 utils optional pcregrep_8.36-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlRzwa4ACgkQLk+GuosNQvlbgQCfXwtqJLrnn48C/5kN+eIgHR1z
6JsAn3nZb5wMPBX1halLaS7gVf5F+Z5J
=IEy9
-----END PGP SIGNATURE-----
Marked as found in versions pcre3/1:8.30-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 06 Dec 2014 18:48:11 GMT) (full text, mbox, link).
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 06 Dec 2014 18:48:15 GMT) (full text, mbox, link).
No longer marked as fixed in versions pcre3/1:8.36-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 06 Dec 2014 18:48:16 GMT) (full text, mbox, link).
Marked as found in versions pcre3/2:8.35-3.2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 06 Dec 2014 18:48:20 GMT) (full text, mbox, link).
Marked as fixed in versions pcre3/1:8.36-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 06 Dec 2014 18:51:05 GMT) (full text, mbox, link).
Reply sent
to Ivo De Decker <ivodd@debian.org>:
You have taken responsibility.
(Sat, 06 Dec 2014 19:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 06 Dec 2014 19:21:05 GMT) (full text, mbox, link).
Message #25 received at 770478-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.35-3.3
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ivo De Decker <ivodd@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 06 Dec 2014 19:58:19 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source amd64
Version: 2:8.35-3.3
Distribution: unstable
Urgency: medium
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Ivo De Decker <ivodd@debian.org>
Description:
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Closes: 770478
Changes:
pcre3 (2:8.35-3.3) unstable; urgency=medium
.
* Non-maintainer upload.
* Upstream patch for heap buffer overflow, CVE-2014-8964, taken from
1:8.36-1 (Closes: #770478)
Thanks to Salvatore Bonaccorso for the reminder.
Checksums-Sha1:
eb3c8ef6933d1580764dd9b88aa0b0ae24ff3324 1972 pcre3_8.35-3.3.dsc
2e154c99f63e5735c1be04e08247c8a0f2475853 20661 pcre3_8.35-3.3.debian.tar.gz
Checksums-Sha256:
dabe3f40e50b2a832cc2410fe0ae44964c3ea4004f35aa244ce70041d1e853e1 1972 pcre3_8.35-3.3.dsc
e5e1e387bc77fa51a09cad50003d233b10bda84d30e7d35e7ed00dcc4d62f061 20661 pcre3_8.35-3.3.debian.tar.gz
Files:
9ae96466412820a874bb64b4bc3c391f 1972 libs optional pcre3_8.35-3.3.dsc
d99725eabcedf0d19de3fbfe806ad670 20661 libs optional pcre3_8.35-3.3.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJUg1JeAAoJEKxAu1iXBOr8a+UQAKr3FNcwxbRyIpJcXn9exx74
cEA0Oxcu4w7UYairmETuWDeubWFOHjus0aX1XMyzCF7bBCzBcj8uPIFQ2rHJcK+X
w75Uqgo5VwqLvCVdHEabkIKgT1bMJapWDn7FJCNZ18EZIBFAmzzqIgdZQCrTzVNH
QFvly35kNz/9Xg2QMY8DHzGSsYzRaOZZi1u03PCSeumEDincuxTmeY9lp3hdZo5Y
qXhCZ3B9nI/ovrqc+COVky4wy2+FIChSGO7Cc9NlY91bCF9fWKNoFA0+wC4DlIT4
I2VS2fBvtn3Nyhnhvdq0Lpz5dm3QYoZBbv3A82s43aZ+ILQ4CBL46jEkO/BrMZDt
3YRxhHKOSmRmmKkcEfBWY+51EeLgcQwf2ITPeAW7Yhp6dO3wS4b9Mgxku5YXhBei
XE2U/60Zro6hCgs4/7+lEMGFdc0oqzNsRtdeg5SLHW9MCnScytu9RLMUQX+mHmj2
Ber7yJujYrP771LKGQSaEvIRyKQ4NSlvnqaq9DUD/xU9VqobY9xygteunXfdmR3p
yeOkyQMtt3xQpDbmA6bQXF6xlJmzGSMWaH+IJrRw+G6NAqeziXX2GUWLLH3XHdyf
+psdUJTyUuUgW/vrDlnFeitY60g4Jod9kwclu1Pzmfcv9zuHBrIt+v16O0r6Di1I
NNEOHOCAB0NEl2rOK03I
=sTmn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 28 Mar 2015 07:29:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:19:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon