Debian Bug report logs -
#861873
pcre2: CVE-2017-8786
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#861873
; Package src:pcre2
.
(Fri, 05 May 2017 09:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>
.
(Fri, 05 May 2017 09:18:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcre2
Version: 10.22-3
Severity: minor
Tags: security upstream patch
Forwarded: https://bugs.exim.org/show_bug.cgi?id=2079
Hi,
the following vulnerability was published for pcre2.
CVE-2017-8786[0]:
| pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
| service (heap-based buffer overflow) or possibly have unspecified other
| impact via a crafted regular expression.
The issue is only in the pcre2test utility, so IMHO no immediate
update is needed. But if you get an unblock from the release team,
then even better and might already be fixed for stretch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8786
[1] https://bugs.exim.org/show_bug.cgi?id=2079
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#861873
; Package src:pcre2
.
(Mon, 08 May 2017 09:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Vernon <matthew@debian.org>
:
Extra info received and forwarded to list.
(Mon, 08 May 2017 09:09:03 GMT) (full text, mbox, link).
Message #10 received at 861873@bugs.debian.org (full text, mbox, reply):
Hi,
> the following vulnerability was published for pcre2.
>
> CVE-2017-8786[0]:
> | pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
> | service (heap-based buffer overflow) or possibly have unspecified other
> | impact via a crafted regular expression.
Upstream have on a number of occasions said that they don't really
consider problems in pcre2test.c a security issue for the library as a
whole.
> The issue is only in the pcre2test utility, so IMHO no immediate
> update is needed. But if you get an unblock from the release team,
> then even better and might already be fixed for stretch.
My inclination is that it's OK for the next upstream pcre2 release which
will contain this fix.
Regards,
Matthew
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#861873
; Package src:pcre2
.
(Mon, 08 May 2017 09:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(Mon, 08 May 2017 09:15:03 GMT) (full text, mbox, link).
Message #15 received at 861873@bugs.debian.org (full text, mbox, reply):
Hi Matthew,
On Mon, May 08, 2017 at 10:07:25AM +0100, Matthew Vernon wrote:
> Hi,
>
> > the following vulnerability was published for pcre2.
> >
> > CVE-2017-8786[0]:
> > | pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
> > | service (heap-based buffer overflow) or possibly have unspecified other
> > | impact via a crafted regular expression.
>
> Upstream have on a number of occasions said that they don't really
> consider problems in pcre2test.c a security issue for the library as a
> whole.
Yes got that. I'm interested though to track it anyway, since
apparently the reporter has requested a CVE for it (and got one
assigned).
>
> > The issue is only in the pcre2test utility, so IMHO no immediate
> > update is needed. But if you get an unblock from the release team,
> > then even better and might already be fixed for stretch.
>
> My inclination is that it's OK for the next upstream pcre2 release which
> will contain this fix.
Sure thing, I was not implying an update is required for stretch. I
only meant if you by other means plan another pcre2 update for stretch
and this can be included then fine.
Thanks for your work as usual!
Salvatore
Marked as fixed in versions pcre2/10.31-1.
Request was from Matthew Vernon <matthew@debian.org>
to control@bugs.debian.org
.
(Sat, 24 Feb 2018 15:51:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:57:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.