Debian Bug report logs -
#809706
pcre3: CVE-2016-1283
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#809706; Package src:pcre3.
(Sun, 03 Jan 2016 06:37:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>.
(Sun, 03 Jan 2016 06:37:21 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Version: 2:8.35-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.exim.org/show_bug.cgi?id=1767
Hi,
the following vulnerability was published for pcre3.
CVE-2016-1283[0]:
PCRE Library Heap Overflow Vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
No upstream commit is available at this time yet, but opening a bug to
track the issue.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-1283
[1] https://bugs.exim.org/show_bug.cgi?id=1767
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
No longer marked as found in versions pcre3/2:8.35-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 03 Jan 2016 06:45:03 GMT) (full text, mbox, link).
Marked as found in versions pcre3/2:8.35-3.3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 03 Jan 2016 06:45:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#809706; Package src:pcre3.
(Sun, 03 Jan 2016 11:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Vernon <matthew@debian.org>:
Extra info received and forwarded to list.
(Sun, 03 Jan 2016 11:27:04 GMT) (full text, mbox, link).
Message #14 received at 809706@bugs.debian.org (full text, mbox, reply):
Hi,
On 03/01/16 06:36, Salvatore Bonaccorso wrote:
> CVE-2016-1283[0]:
> PCRE Library Heap Overflow Vulnerability
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> No upstream commit is available at this time yet, but opening a bug to
> track the issue.
Thanks. This doesn't affect PCRE2, and upstream don't seem confident of
a rapid fix for PCRE3. I'll keep an eye on the pcre-dev list for a
suitable patch.
Regards,
Matthew
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#809706; Package src:pcre3.
(Sun, 03 Jan 2016 13:24:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Sun, 03 Jan 2016 13:24:09 GMT) (full text, mbox, link).
Message #19 received at 809706@bugs.debian.org (full text, mbox, reply):
Hi Matthew,
On Sun, Jan 03, 2016 at 10:59:04AM +0000, Matthew Vernon wrote:
> Hi,
>
> On 03/01/16 06:36, Salvatore Bonaccorso wrote:
>
> >CVE-2016-1283[0]:
> >PCRE Library Heap Overflow Vulnerability
> >
> >If you fix the vulnerability please also make sure to include the
> >CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> >No upstream commit is available at this time yet, but opening a bug to
> >track the issue.
>
> Thanks. This doesn't affect PCRE2, and upstream don't seem confident of a
> rapid fix for PCRE3. I'll keep an eye on the pcre-dev list for a suitable
> patch.
Ack, came to the same conclusion while checking pcre2 as well. Thanks
for keeping an eye on it.
Thanks for all your work on pcre3 and pcre2.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#809706; Package src:pcre3.
(Tue, 22 Mar 2016 20:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Tue, 22 Mar 2016 20:21:10 GMT) (full text, mbox, link).
Message #24 received at 809706@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 809706 + patch
Control: tags 809706 + pending
Dear maintainer,
I've prepared an NMU for pcre3 (versioned as 2:8.38-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
p.s.: actually if we can have it fixed before the weekend in unstable, I
would try to prepare debdiff for pcre3 for jessie to be reviewed
by the SRM and have it included in the next jessie point release.
[pcre3-8.38-3.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 809706-submit@bugs.debian.org.
(Tue, 22 Mar 2016 20:21:12 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 809706-submit@bugs.debian.org.
(Tue, 22 Mar 2016 20:21:13 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 22 Mar 2016 20:21:19 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#809706; Package src:pcre3.
(Tue, 22 Mar 2016 22:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Vernon <matthew@debian.org>:
Extra info received and forwarded to list.
(Tue, 22 Mar 2016 22:42:03 GMT) (full text, mbox, link).
Message #35 received at 809706@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
> p.s.: actually if we can have it fixed before the weekend in unstable, I
> would try to prepare debdiff for pcre3 for jessie to be reviewed
> by the SRM and have it included in the next jessie point release.
You mean you'd like to just upload it now, rather than wait 5 days? Do
go ahead, I've checked your patch against upstream's commit and am happy
for you to proceed.
Regards,
Matthew
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 23 Mar 2016 04:39:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 23 Mar 2016 04:39:11 GMT) (full text, mbox, link).
Message #40 received at 809706-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.38-3.1
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 809706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Mar 2016 21:05:13 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: source
Version: 2:8.38-3.1
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 809706
Description:
libpcre16-3 - Perl 5 Compatible Regular Expression Library - 16 bit runtime fil
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcre32-3 - Perl 5 Compatible Regular Expression Library - 32 bit runtime fil
libpcrecpp0v5 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.38-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-1283: heap buffer overflow in handling of duplicate named
groups (Closes: #809706)
Checksums-Sha1:
c3b924afd4e2217b4ff7c2faf9d2171ac70dc245 2074 pcre3_8.38-3.1.dsc
d2295695b2b0e5799a78d251a335f62799b813ad 32289 pcre3_8.38-3.1.debian.tar.gz
Checksums-Sha256:
6a46bc62c33198fe38257f0dddecb4c534825f8f066bf88f2a45ad935b879885 2074 pcre3_8.38-3.1.dsc
9ee1b838c1de50cb5f6641016d0dd21b06f1038b9b7c3b1098e0a89b9c24b39f 32289 pcre3_8.38-3.1.debian.tar.gz
Files:
c1e77af3499738326e5e086f98b85061 2074 libs optional pcre3_8.38-3.1.dsc
943442eab19bb0381d1b663ca8cd23e8 32289 libs optional pcre3_8.38-3.1.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW8aazAAoJEAVMuPMTQ89EZ78P/jyPCVFUuYVd2v3QyNv62We+
0rpcziNPn+iglxHc2N2aZlY9fn6S9wyyCGhE+K2Rf31KuO4LkJWZ0l2SqMc2pSr+
1K3dC9uhI5OfI5TZLWdKpkRCdgxvo7sHB9N0DGy5hcrwWebxGEv5E6BlRjP+x3ci
wkfsBOv5/KJtNwCda1QKNvRWrszQ21nUrQr43lBg4+QmVk7dmeovWX2VCGdLl19i
ysFb6HNaOp4FcIe4YK+4QAB8dlqeFcka1Oad9DNwoQe+SVGL62m8SjiFnSXeuCEU
fOmQ/8fSH/WwDm02BdxRNfi0hbVaX4bpLK6HQxQYYDfP9kry+z8ym4guznLF4wDd
qAR96vavBMCoxXdUqvndNwaQhPSeorDsuR9Yq7Fa22acam5ef6NESb5hLXx1bDHk
+QRA0rZfHIGIXy7sa50OaZmoW8ME+ZwcKrSljH27PsTaaeb61vtRJUMou8VcmXB0
FghxV+CGJcUgqZ7tNBj3wDGHUEDZrqOtmgjDdxk71qygR5F7x9EBIfCIDbFfMduZ
YVBIKnPyWdTN5ZR5ClgJdRpjTgy77PTqT/7iGliglL3bZ25SVx1i3uNpqb226/ix
TOv6SS04ftN3VVRdt+ysKvAy97qLxlC+r5dlzOnAt+xXmShIOeV7r6LzaWVrmiIu
ZJwYXQ+rzhd6YOviauPD
=d5mw
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#809706; Package src:pcre3.
(Wed, 23 Mar 2016 05:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Wed, 23 Mar 2016 05:21:04 GMT) (full text, mbox, link).
Message #45 received at 809706@bugs.debian.org (full text, mbox, reply):
Hi Matthew,
On Tue, Mar 22, 2016 at 10:15:22PM +0000, Matthew Vernon wrote:
> Hi Salvatore,
> >p.s.: actually if we can have it fixed before the weekend in unstable, I
> > would try to prepare debdiff for pcre3 for jessie to be reviewed
> > by the SRM and have it included in the next jessie point release.
>
> You mean you'd like to just upload it now, rather than wait 5 days? Do go
> ahead, I've checked your patch against upstream's commit and am happy for
> you to proceed.
Yes that was my aim, since AFAIR, the window for jessie-pu and
wheezy-pu uploads closes this weekend.
Thank you for your fast response.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 25 Mar 2016 19:30:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 25 Mar 2016 19:30:18 GMT) (full text, mbox, link).
Message #50 received at 809706-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.35-3.3+deb8u3
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 809706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Mar 2016 07:05:50 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source
Version: 2:8.35-3.3+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 809706 815921
Description:
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.35-3.3+deb8u3) jessie; urgency=medium
.
* Non-maintainer upload.
* Refresh CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch.
Drop addition of "error text" for error ERR86 in pcre_compile.c. This
change belongs to upstream revision 1481 (Give error for \x{} and \o{}).
* Add 0001-Give-error-for-x-and-o.patch.
Give error for \x{} and \o{}.
* Add 0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch.
CVE-2016-3191: workspace overflow for (*ACCEPT) with deeply nested
parentheses. (Closes: #815921)
* Add 0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch.
CVE-2016-1283: heap buffer overflow in handling of duplicate named
groups. (Closes: #809706)
Checksums-Sha1:
bb755b9c0b041140350300077b5ea261304fc236 1985 pcre3_8.35-3.3+deb8u3.dsc
459b1270648b1610c55cf4c9094c9077c51eaa2b 36953 pcre3_8.35-3.3+deb8u3.debian.tar.gz
Checksums-Sha256:
f0a4989ea94b7ee632798d17887e51633feb68b30289a38154fff246327bcc92 1985 pcre3_8.35-3.3+deb8u3.dsc
576aa11e22988bd2276c4c23f125d2318fc6dbcd53181fece82b14b85827bc51 36953 pcre3_8.35-3.3+deb8u3.debian.tar.gz
Files:
0c35f5f564ecfe05e26fbf4485ac2a8f 1985 libs optional pcre3_8.35-3.3+deb8u3.dsc
28801f7b9f42520a207d0563b7693765 36953 libs optional pcre3_8.35-3.3+deb8u3.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW9WmwAAoJEAVMuPMTQ89EgY0P/AyZ5IgPgiTy+grWAyhRgFnZ
DuO+B+UTQJI4PBFXsMSlGJKaxDCZPXyByXcA4mBhejFGb/c+5yKN3OyAWqhn6Ikd
nQyQDwBOvoEiTpnzQbiU7b4lkjvJV2EAyncGg2fMd53mDulD7sgQSjdvyMvZvT85
9w6w8VT3JapstfwHPFKtyWdb4ZMUDirj9QRhg175/mH6Da6lWqK0KzIeq3drLT01
5b8RrTgpG/W2wrWtCDU84E5+087WFNyjjcrFhUGDxEEMeX9IIwHH38BEnAPHu4eb
Fd8+lBJe1dqZHv/6FXs24xwQuQz09tywavStkcZSKFfp9VaeAMqw9V3xh76XbaYV
pdnSeNFfF6xVsT2NKujeA9TpCj2WPALVvC7bLhoNHD2akDlCqu6/9Bx18g7ej5q3
z/shgNX4W+JyNtN1gQTIPZPIWTmWqdiPKGNq6+iZZac1bq57RIaTClJARTZKWrQI
jp8jCvGhNl28tA6oXw3rKDW0/pprNuSzkrOoOK6aQI7ZTdcCmlCPx6aebuVMeiRu
wtBI9vp1fpFl80sgx+eYW6cKvJOjqbtnREkqrSlNYzef3XPrmTkeTMx7WNIpIwkY
3qbZ9axd0PiJ9zAA3zd2013dPb024ENYxuL5seaBIIfV+19Ai2lZYghysc7zYn1r
FypYmUvJjZShU07zojVv
=CzJj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 25 May 2016 07:25:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:43:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon