ZDI-CAN-3542: PCRE Regular Expression Compilation Stack Buffer Overflow Remote Code Execution Vulnerability -- CVSS ----------------------------------------- 5.1, AV:N/AC:H/Au:N/C:P/I:P/A:P -- ABSTRACT ------------------------------------- HP's Zero Day Initiative has identified a vulnerability affecting the following products: PCRE PCRE -- VULNERABILITY DETAILS ------------------------ Tested on Linux. PCRE does not validate that handling the (*ACCEPT) verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow.
The issue is fixed upstream in pcre and pcre2 via the following commits: http://vcs.pcre.org/pcre?view=revision&revision=1631 http://vcs.pcre.org/pcre2?view=revision&revision=489
added upstream patches; should be fined to stable: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cee01d4f06b3984b8211bd3c27358f7d18cf90fb
@arches, please stabilize: =dev-libs/libpcre-8.38-r1
Added to existing GLSA.
Stable on alpha.
Stable for HPPA PPC64.
arm stable
amd64 stable
x86 stable
ppc stable
sparc stable
ia64 stable
Removing unstable arches. @maintainer(s), please cleanup.
This issue was resolved and addressed in GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02 by GLSA coordinator Aaron Bauman (b-man).
Re-opening for cleanup. @maintainer(s), please cleanup the vulnerable versions.
@maintainers, bump for cleanup.
Maintainer(s), please drop the vulnerable version(s). Version: 8.38 : 3
Any reason these cannot be cleaned?
commit fb22a9ea0a8b6b4e3911d5360779c9740df08f46 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Oct 10 13:37:59 2016 dev-libs/libpcre: Security cleanup (bug #575546). Package-Manager: portage-2.3.1 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Thanks again!
