Summary: | <dev-libs/libpcre-8.41: two stack-based buffer overflow write in pcre32_copy_substring (pcre_get.c) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | base-system | ||||
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/ | ||||||
Whiteboard: | A3 [glsa cve] | ||||||
Package list: |
dev-libs/libpcre-8.41
|
Runtime testing required: | --- | ||||
Bug Depends on: | |||||||
Bug Blocks: | 614048, 614054 | ||||||
Attachments: |
|
Description
Agostino Sarubbo
2017-03-27 09:48:10 UTC
CVE ID: CVE-2017-7245 Summary: Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. Published: 2017-03-23T21:59:00.000Z Created attachment 475124 [details, diff]
Patch for CVE-2017-7245
There seems to be a second CVE number for this CVE-2017-7246 CVE-2017-7245 - https://bugzilla.redhat.com/show_bug.cgi?id=1437367 CVE-2017-7246 - https://bugzilla.redhat.com/show_bug.cgi?id=1437369 Both issues fixed in >=dev-libs/libpcre-8.41. x86 stable ia64 stable arm stable amd64 stable alpha stable sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9 ppc64 stable ppc stable hppa stable This issue was resolved and addressed in GLSA 201710-25 at https://security.gentoo.org/glsa/201710-25 by GLSA coordinator Aaron Bauman (b-man). re-opened for cleanup sparc stable (thanks to Rolf Eike Beer) arm64 stable (well, -r1 instead, for which we for some reason weren't CCed for) tree is clean. |