From ${URL} : PCRE library is prone to a vulnerability which leads to Heap Overflow. During subpattern calculation of a malformed regular expression, an offset that is used as an array index is fully controlled and can be large enough so that unexpected heap memory regions are accessed. One could at least exploit this issue to read objects nearby of the affected application's memory. Such information discloure may also be used to bypass memory protection method such as ASLR. Reference: https://bugs.exim.org/show_bug.cgi?id=1651 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Commit message: Add backport from upstream for CVE-2015-5073 http://sources.gentoo.org/dev-libs/libpcre/files/libpcre-8.37-CVE-2015-5073.patch?rev=1.1 http://sources.gentoo.org/dev-libs/libpcre/libpcre-8.37-r2.ebuild?rev=1.1
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Can we stabilize 8.38 ?
Arches, please test and mark stable: =dev-libs/libpcre-8.38 Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 stable
Stable for PPC64.
Stable for HPPA.
arm stable
alpha stable
ppc stable
Builds fine on x86. Rdeps also build fine on x86. Please mark stable for x86.
x86 stable
sparc stable
ia64 stable
All supported arches are stable. Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Cleanup complete: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ef97cb24a97b21cf46d077f8ba9dd363db4e44d
CVE-2015-8395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8395): PCRE before 8.38 mishandles certain references, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and CVE-2015-8392. CVE-2015-8394 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8394): PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8393): pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.
CVE-2015-8392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8392): PCRE before 8.38 mishandles certain instances of the (?| substring, which allows remote attackers to cause a denial of service (unintended recursion and buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and CVE-2015-8395. CVE-2015-8391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8391): The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8390 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8390): PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8389): PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8388): PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8387): PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8386): PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8385): PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8384): PCRE before 8.38 mishandles the /(?J)(?'d'(?'d'\g{d}))/ pattern and related patterns with certain recursive back references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8392 and CVE-2015-8395. CVE-2015-8383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8383): PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8381): The compile_regex function in pcre_compile.c in PCRE before 8.38 and pcre2_compile.c in PCRE2 before 10.2x mishandles the /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ and /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/ patterns, and related patterns with certain group references, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8380 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8380): The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
This issue was resolved and addressed in GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02 by GLSA coordinator Aaron Bauman (b-man).