Summary: | <dev-libs/libpcre-8.40-r1: OOB read / application crash | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | ncl | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | base-system | ||||
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | https://bugs.exim.org/show_bug.cgi?id=2035 | ||||||
See Also: | https://bugs.exim.org/show_bug.cgi?id=2035 | ||||||
Whiteboard: | A3 [glsa cve] | ||||||
Package list: |
=dev-libs/libpcre-8.40-r1
|
Runtime testing required: | --- | ||||
Attachments: |
|
Description
ncl
2017-02-17 04:53:40 UTC
Upstream patch: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch This is _not_ included in v8.40 release. @ Maintainer(s): Could you please rev bump and cherry-pick the patch (I attached a complete patch including updated tests)? You may also want to cherry-pick https://vcs.pcre.org/pcre/code/trunk/pcregrep.c?r1=1678&r2=1679&view=patch which fixes a bug/incomplete fix for > 1. Using -o with -M in pcregrep could cause unnecessary repeated output when > the match extended over a line boundary. Created attachment 464034 [details, diff]
Upstream fix for CVE-2017-6004 with updated tests
libpcre-8.40-r1 in the tree now w/the two fixes: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef1e0f46ae56483d3b5695108e684a887bab4d33 should be fine for stable amd64 stable ppc stable ppc64 stable Stable for HPPA. arm stable. arm64 stable. alpha/ia64 stable x86 stable We can not wait any longer on sparc. Please stabilize, we are going to work on releasing the GLSA. sparc stable. Maintainer(s), please cleanup. Cleanup PR: https://github.com/gentoo/gentoo/pull/4848 This issue was resolved and addressed in GLSA 201706-11 at https://security.gentoo.org/glsa/201706-11 by GLSA coordinator Kristian Fiskerstrand (K_F). |