Debian Bug report logs -
#794589
pcre3: CVE-2015-8382: pcre_exec does not fill offsets for certain regexps
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#794589; Package src:pcre3.
(Tue, 04 Aug 2015 17:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>.
(Tue, 04 Aug 2015 17:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Version: 2:8.35-7
Severity: important
Tags: security upstream patch
Control: forwarded -1 https://bugs.exim.org/show_bug.cgi?id=1537
Hi,
>From https://bugzilla.redhat.com/show_bug.cgi?id=1187225
> It was reported that pcre_exec in PHP pcre extension partially
> initialize a buffer when an invalid regex is processed, which can
> information disclosure.
A CVE was requested here:
http://www.openwall.com/lists/oss-security/2015/08/04/3
Upstream patch for this issue is included in 8.37 AFAIK, and found
here:
http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#794589; Package src:pcre3.
(Thu, 10 Sep 2015 20:06:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Thu, 10 Sep 2015 20:06:10 GMT) (full text, mbox, link).
Message #12 received at 794589@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Matthew,
I worked on doing a NMU for pcre3 since it has accumulated some CVEs
which we as well would like see fixed in jessie via pu (and so needs
to be fixed first in unstable).
Current debdiff is attached, but note that I have explicitly not
(yet?) addressed as well
- CVE-2015-3217 / #787641
- #795539
- #796762
Do you plan to update to at least 8.37 fixing some of them, some other
are scheduled for 8.38 which is not yet released.
Regards,
Salvatore
[pcre3_8.35-7.2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 11 Sep 2015 18:39:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 11 Sep 2015 18:39:17 GMT) (full text, mbox, link).
Message #17 received at 794589-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.35-7.2
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 794589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Sep 2015 20:04:19 +0200
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: source
Version: 2:8.35-7.2
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 781795 783285 787433 794589
Description:
libpcre16-3 - Perl 5 Compatible Regular Expression Library - 16 bit runtime fil
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcre32-3 - Perl 5 Compatible Regular Expression Library - 32 bit runtime fil
libpcrecpp0v5 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.35-7.2) unstable; urgency=low
.
* Non-maintainer upload (with maintainer's permission).
* Add Fix-compiler-crash-misbehaviour-for-zero-repeated-gr.patch.
Fixes "PCRE Library Stack Overflow Vulnerability" (Upstream bug 1503)
* Add Fix-compile-time-loop-for-recursive-reference-within.patch.
Fixes "PCRE Call Stack Overflow Vulnerability" (Upstream bug 1515)
* Add 794589-information-disclosure.patch.
Fixes "pcre_exec does not fill offsets for certain regexps" leading to
information disclosure. (Closes: #794589)
* Add Fix-bad-compile-for-groups-like-2-0-1999.patch.
CVE-2015-2325: heap buffer overflow in compile_branch(). (Closes: #781795)
* Add Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch.
CVE-2015-2326: heap buffer overflow in pcre_compile2(). (Closes: #783285)
* Add Fix-buffer-overflow-for-named-recursive-back-referen.patch.
CVE-2015-3210: heap buffer overflow in pcre_compile2() /
compile_regex(). (Closes: #787433)
Checksums-Sha1:
d1afd74a080757a16f01c344b6d6195c6619f7a2 2074 pcre3_8.35-7.2.dsc
dd16fc1fa3c85fa3f5a313470af51ccec487a8d9 29105 pcre3_8.35-7.2.debian.tar.gz
Checksums-Sha256:
cb15b92f85a894cade62cf59892d989ace89d9c7500edda7ec8866a9acaea2f3 2074 pcre3_8.35-7.2.dsc
087754802f54f133a10576186ed4195d7cb39dfba0f2f9c94e20c31f13e25e9c 29105 pcre3_8.35-7.2.debian.tar.gz
Files:
7ce1fc5823e8125d4d8f1707a633dd1d 2074 libs optional pcre3_8.35-7.2.dsc
8254b0c3a0e9399a7a093537674fd185 29105 libs optional pcre3_8.35-7.2.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJV8xmlAAoJEAVMuPMTQ89E1/YP/ix2ydDB9mMSm64KpcDWFAAe
vy8ojv2aEVM5h+S5eZv20Enx0oG9FORApm5J7R2FMjNNutAOc1zQxjoym8r6DkkD
vn2WK+OjOnEu7j78atM8QYoTG+kgC/thrT7Tn+hz+fjSHezvRXl4bGZ5x2oFvGmj
lgZTbc3dzY0WDXKZpy0WqsNshnyqcOqpZST81nT6XFwIyAqQryqHbM77j4VZ2vic
SsfETlOcxZCzYtzKh0pkVg7c9Xj0Tu+PWk5byUFynHdvPFnHqnADcy3Txnny46op
z427TSObS6cqhSAUkP1Mir7nGLS3eW1zSSiqPA/wDq9AjMvVPjKkgjrlRUCgNpQJ
haM8weHIIAlQblsv7zY67jBA0no/smVb4ig9d9PTWd0PDU26V28sHV2pS1AMvUOB
L0S+rhQw6EEX3C8sxcr3B0X6giPxiiqLFK8yqJbKyTsFKmCNNBh9maRBvW0BdWvX
Xn8B8kiD7kzVPLaxpt7xm85UtkeK9JWMCUEhrvN4ylAgt+CQAcfULNBeyZjC+S/v
xeJxYfITRB5WpwSVnzhf3Xx7XS4IBERLLXxWwqSyjDBun5XqPXyCzSPjAw1kvZ9X
G5QotasfCVPWgtkaGztKV5rYqJITNbnpSu87pVBdQ+EoL2L67F7qvI7bOydt9Xeu
pvl55R2tiFytxA0/axUf
=F5r0
-----END PGP SIGNATURE-----
Changed Bug title to 'pcre3: CVE-2015-8382: pcre_exec does not fill offsets for certain regexps' from 'pcre3: pcre_exec does not fill offsets for certain regexps'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 02 Dec 2015 06:09:03 GMT) (full text, mbox, link).
Marked as found in versions pcre3/1:8.30-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 02 Dec 2015 17:12:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 31 Dec 2015 07:31:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:10:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon