Debian Bug report logs -
#963086
pcre3: CVE-2020-14155
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#963086; Package src:pcre3.
(Thu, 18 Jun 2020 17:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Matthew Vernon <matthew@debian.org>.
(Thu, 18 Jun 2020 17:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Version: 2:8.39-12
Severity: important
Tags: security upstream
Forwarded: https://bugs.exim.org/show_bug.cgi?id=2463
Control: found -1 2:8.39-3
Hi,
The following vulnerability was published for pcre3.
CVE-2020-14155[0]:
| libpcre in PCRE before 8.44 allows an integer overflow via a large
| number after a (?C substring.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-14155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155
[1] https://bugs.exim.org/show_bug.cgi?id=2463
Regards,
Salvatore
Marked as found in versions pcre3/2:8.39-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 18 Jun 2020 17:48:04 GMT) (full text, mbox, link).
Reply sent
to Matthew Vernon <matthew@debian.org>:
You have taken responsibility.
(Thu, 18 Jun 2020 19:21:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 18 Jun 2020 19:21:12 GMT) (full text, mbox, link).
Message #12 received at 963086-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.39-13
Done: Matthew Vernon <matthew@debian.org>
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 963086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthew Vernon <matthew@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Jun 2020 19:33:56 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: source
Version: 2:8.39-13
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Matthew Vernon <matthew@debian.org>
Description:
libpcre16-3 - Old Perl 5 Compatible Regular Expression Library - 16 bit runtime
libpcre3 - Old Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Old Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Old Perl 5 Compatible Regular Expression Library - development fi
libpcre3-udeb - Old Perl 5 Compatible Regular Expression Library - runtime files (udeb)
libpcre32-3 - Old Perl 5 Compatible Regular Expression Library - 32 bit runtime
libpcrecpp0v5 - Old Perl 5 Compatible Regular Expression Library - C++ runtime fi
pcregrep - grep utility that uses perl 5 compatible regexes.
Closes: 963086
Changes:
pcre3 (2:8.39-13) unstable; urgency=medium
.
* upstream patch fixing CVE-2020-14155 (Closes: #963086)
Checksums-Sha1:
b835bb08c84c65ed70093fee8132a4fd1f421a1f 2226 pcre3_8.39-13.dsc
eb83e4150da20607a79461f7e25e3cef867516f4 27002 pcre3_8.39-13.debian.tar.gz
Checksums-Sha256:
c3a2eb4f02de5b2e00787ed2a35eb82f04ee4b5e99b8ff279bae3c6453aad93b 2226 pcre3_8.39-13.dsc
a2143d7358d69b61955a4f977980050447f8891c0e6737080f2b14b920fbde87 27002 pcre3_8.39-13.debian.tar.gz
Files:
222c40416c84d1980c46c3777395c322 2226 libs optional pcre3_8.39-13.dsc
76c3d489b8ac99153ce141410ce7566c 27002 libs optional pcre3_8.39-13.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEuk75yE35bTfYoeLUEvTSHI9qY8gFAl7rt6MTHG1hdHRoZXdA
ZGViaWFuLm9yZwAKCRAS9NIcj2pjyGFTD/9nAH96FPYyd3QolJ6/Dc38MAJXy9Jo
Z5jXBKQLvOIwmGPQPZs0RIXKovISmZTm/fkysVEFKZU3MopROKOkdIKUsoKUdQ2o
Ww2MMXFXfnhHVYvetuab/ykAn/a7aA7DHW8nr7LKi9HOOYhb98DfKBMq47j/+39P
q3hc1PzQdwqfw7zeJ2OYXgotwebUJtoAsPWT7uWwZ9XcRtwS/Ktft+l2wIaNMiQQ
TjGj6eGESkAI2cHIsIIuA/G33Ksc20zsvkG3x1ocz0CEWKPTESe8CIjzRTg96mYF
v+Ck5I6oM4DeZZpI/rtmD2Nw/bJc5OAxvJApOX65FQ0z/OdenW7NR8BdBNiViJPi
UZasmLxiI/Sfsk9FIyyqaDr+1eQEie/TBbBohIqkCqTcHERip1cuk9cAdcrribQb
1jGmkpqZIJCGJaFuvJNgQkIKoNHBl7auyd1wg5+/Yc1FWClnN/TnyNKdsv8mLqIK
3DEF8chphRNmqrstNJxKDi5iX4qvHeB4r5dOUVks4P37zeuHOzgG0D1u0WVfd59d
HyEUK0AR6T1E1qJ0ujAKHDcdGOV6Ak0vO1l+Oau2JETOxRVu5XPeNf1ynGGOA1tj
PkJ00B4498ARsD54V3p4apL7RSxqyaS3ELAI6O4POPoRioEnWS240lN59NyDBH6y
T89bRINUN+x23Q==
=tThd
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jun 19 13:40:58 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon