Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614048 - <dev-libs/libpcre-8.41: invalid memory read in match (pcre_exec.c) (CVE-2017-7186)
Summary: <dev-libs/libpcre-8.41: invalid memory read in match (pcre_exec.c) (CVE-2017-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blogs.gentoo.org/ago/2017/03/...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2017-7245, CVE-2017-7246
Blocks: CVE-2017-7186
  Show dependency tree
 
Reported: 2017-03-27 09:46 UTC by Agostino Sarubbo
Modified: 2017-10-23 01:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-27 09:46:21 UTC
Details at $URL.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-03-28 05:20:37 UTC
    CVE ID: CVE-2017-7186
   Summary: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.
 Published: 2017-03-20T00:59:00.000Z
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 21:09:43 UTC
Same fix like bug 614054.

See https://bugs.exim.org/show_bug.cgi?id=2052 and https://bugs.exim.org/show_bug.cgi?id=2054
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 21:13:04 UTC
Oh dear, we will need to create a tracker bug for the PCRE vulns. pcre2 bug is bug 614050.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 00:11:18 UTC
Freeing CVE alias for tracking bug.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 17:03:01 UTC
Fixed in >=dev-libs/libpcre-8.41, stabilization will happen in bug 614052.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-10-23 01:20:06 UTC
This issue was resolved and addressed in
 GLSA 201710-25 at https://security.gentoo.org/glsa/201710-25
by GLSA coordinator Aaron Bauman (b-man).