Copied from RedHat's BZ: CVE-2007-1659: unmatched \Q\E sequences with orphan \E codes can cause the compiled regex to become desynchronized, resulting in corrupt bytecode that may result in multiple exploitable conditions. This was inadvertently fixed by the pcre maintainer in version 7.0, however another case of a lone \E inside a character class remained, this has been fixed in 7.3 CVE-2007-1660: multiple forms of character class had their sizes miscalculated on initial passes, resulting in too little memory being allocated, this was also inadvertently fixed in version 7.0, where the compile phase was entirely re-engineered (and much improved, from a security standpoint). https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-1659 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-1660
According to the comments, 7.3 is unaffected. Stabling takes place in bug #195416 since 2007-10-10. The only missing keywords right now are "arm m68k mips s390 sh". What's left to do is a GLSA and an audit of other packages that ship code copies, I'm after that.
More issues.
CVE names are public, GLSA request filed.
GLSA 200711-30