pcre2: CVE-2017-8786

Debian Bug report logs - #861873
pcre2: CVE-2017-8786

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pcre2: CVE-2017-8786

Date: Fri, 05 May 2017 11:14:12 +0200

Source: pcre2
Version: 10.22-3
Severity: minor
Tags: security upstream patch
Forwarded: https://bugs.exim.org/show_bug.cgi?id=2079

Hi,

the following vulnerability was published for pcre2.

CVE-2017-8786[0]:
| pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
| service (heap-based buffer overflow) or possibly have unspecified other
| impact via a crafted regular expression.

The issue is only in the pcre2test utility, so IMHO no immediate
update is needed. But if you get an unblock from the release team,
then even better and might already be fixed for stretch.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8786
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8786
[1] https://bugs.exim.org/show_bug.cgi?id=2079

Regards,
Salvatore

Message #10 received at 861873@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 861873@bugs.debian.org

Subject: Re: Bug#861873: pcre2: CVE-2017-8786

Date: Mon, 8 May 2017 10:07:25 +0100

Hi,

> the following vulnerability was published for pcre2.
> 
> CVE-2017-8786[0]:
> | pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
> | service (heap-based buffer overflow) or possibly have unspecified other
> | impact via a crafted regular expression.

Upstream have on a number of occasions said that they don't really
consider problems in pcre2test.c a security issue for the library as a
whole.

> The issue is only in the pcre2test utility, so IMHO no immediate
> update is needed. But if you get an unblock from the release team,
> then even better and might already be fixed for stretch.

My inclination is that it's OK for the next upstream pcre2 release which
will contain this fix.

Regards,

Matthew

Message #15 received at 861873@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Matthew Vernon <matthew@debian.org>

Cc: 861873@bugs.debian.org

Subject: Re: Bug#861873: pcre2: CVE-2017-8786

Date: Mon, 8 May 2017 11:13:12 +0200

Hi Matthew,

On Mon, May 08, 2017 at 10:07:25AM +0100, Matthew Vernon wrote:
> Hi,
> 
> > the following vulnerability was published for pcre2.
> > 
> > CVE-2017-8786[0]:
> > | pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
> > | service (heap-based buffer overflow) or possibly have unspecified other
> > | impact via a crafted regular expression.
> 
> Upstream have on a number of occasions said that they don't really
> consider problems in pcre2test.c a security issue for the library as a
> whole.

Yes got that. I'm interested though to track it anyway, since
apparently the reporter has requested a CVE for it (and got one
assigned).
> 
> > The issue is only in the pcre2test utility, so IMHO no immediate
> > update is needed. But if you get an unblock from the release team,
> > then even better and might already be fixed for stretch.
> 
> My inclination is that it's OK for the next upstream pcre2 release which
> will contain this fix.

Sure thing, I was not implying an update is required for stretch. I
only meant if you by other means plan another pcre2 update for stretch
and this can be included then fine.

Thanks for your work as usual!

Salvatore

Send a report that this bug log contains spam.