Bug 614048

Summary:	<dev-libs/libpcre-8.41: invalid memory read in match (pcre_exec.c) (CVE-2017-7186)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	base-system
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://blogs.gentoo.org/ago/2017/03/14/libpcre-invalid-memory-read-in-match-pcre_exec-c/
Whiteboard:	A3 [glsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	614052
Bug Blocks:	620660

Description Agostino Sarubbo gentoo-dev

2017-03-27 09:46:21 UTC

Details at $URL.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Yury German Gentoo Infrastructure

2017-03-28 05:20:37 UTC

    CVE ID: CVE-2017-7186
   Summary: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.
 Published: 2017-03-20T00:59:00.000Z

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 21:09:43 UTC

Same fix like bug 614054.

See https://bugs.exim.org/show_bug.cgi?id=2052 and https://bugs.exim.org/show_bug.cgi?id=2054

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 21:13:04 UTC

Oh dear, we will need to create a tracker bug for the PCRE vulns. pcre2 bug is bug 614050.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-04 00:11:18 UTC

Freeing CVE alias for tracking bug.

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-18 17:03:01 UTC

Fixed in >=dev-libs/libpcre-8.41, stabilization will happen in bug 614052.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2017-10-23 01:20:06 UTC

This issue was resolved and addressed in
 GLSA 201710-25 at https://security.gentoo.org/glsa/201710-25
by GLSA coordinator Aaron Bauman (b-man).