Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 609592 (CVE-2017-6004)

Summary: <dev-libs/libpcre-8.40-r1: OOB read / application crash
Product: Gentoo Security Reporter: ncl
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: All   
See Also:
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Description Flags
Upstream fix for CVE-2017-6004 with updated tests none

Description ncl 2017-02-17 04:53:40 UTC
The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

This seems to be fixed in the 8.40 release.
Comment 1 Thomas Deutschmann gentoo-dev 2017-02-17 07:40:35 UTC
Upstream patch:

This is _not_ included in v8.40 release.

@ Maintainer(s): Could you please rev bump and cherry-pick the patch (I attached a complete patch including updated tests)? You may also want to cherry-pick which fixes a bug/incomplete fix for

> 1.  Using -o with -M in pcregrep could cause unnecessary repeated output when
>     the match extended over a line boundary.
Comment 2 Thomas Deutschmann gentoo-dev 2017-02-17 07:41:37 UTC
Created attachment 464034 [details, diff]
Upstream fix for CVE-2017-6004 with updated tests
Comment 3 SpanKY gentoo-dev 2017-03-20 07:49:32 UTC
libpcre-8.40-r1 in the tree now w/the two fixes:

should be fine for stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-25 14:43:34 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-25 19:25:37 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-25 19:28:04 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-27 06:38:20 UTC
Stable for HPPA.
Comment 8 Michael Weber (RETIRED) gentoo-dev 2017-03-28 10:55:45 UTC
arm stable.
Comment 9 Michael Weber (RETIRED) gentoo-dev 2017-03-28 23:36:24 UTC
arm64 stable.
Comment 10 Matt Turner gentoo-dev 2017-03-30 02:39:13 UTC
alpha/ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-04-01 16:07:16 UTC
x86 stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-04-26 00:54:57 UTC
We can not wait any longer on sparc. Please stabilize, we are going to work on releasing the GLSA.
Comment 13 Agostino Sarubbo gentoo-dev 2017-04-27 11:23:58 UTC
sparc stable.

Maintainer(s), please cleanup.
Comment 14 Thomas Deutschmann gentoo-dev 2017-06-04 12:59:53 UTC
Cleanup PR:
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 19:46:41 UTC
This issue was resolved and addressed in
 GLSA 201706-11 at
by GLSA coordinator Kristian Fiskerstrand (K_F).