Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 609592 (CVE-2017-6004) - <dev-libs/libpcre-8.40-r1: OOB read / application crash
Summary: <dev-libs/libpcre-8.40-r1: OOB read / application crash
Alias: CVE-2017-6004
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
Depends on:
Reported: 2017-02-17 04:53 UTC by ncl
Modified: 2017-06-07 10:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+

Upstream fix for CVE-2017-6004 with updated tests (CVE-2017-6004-full.patch,1.47 KB, patch)
2017-02-17 07:41 UTC, Thomas Deutschmann (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ncl 2017-02-17 04:53:40 UTC
The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

This seems to be fixed in the 8.40 release.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 07:40:35 UTC
Upstream patch:

This is _not_ included in v8.40 release.

@ Maintainer(s): Could you please rev bump and cherry-pick the patch (I attached a complete patch including updated tests)? You may also want to cherry-pick which fixes a bug/incomplete fix for

> 1.  Using -o with -M in pcregrep could cause unnecessary repeated output when
>     the match extended over a line boundary.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 07:41:37 UTC
Created attachment 464034 [details, diff]
Upstream fix for CVE-2017-6004 with updated tests
Comment 3 SpanKY gentoo-dev 2017-03-20 07:49:32 UTC
libpcre-8.40-r1 in the tree now w/the two fixes:

should be fine for stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-25 14:43:34 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-25 19:25:37 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-25 19:28:04 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-27 06:38:20 UTC
Stable for HPPA.
Comment 8 Michael Weber (RETIRED) gentoo-dev 2017-03-28 10:55:45 UTC
arm stable.
Comment 9 Michael Weber (RETIRED) gentoo-dev 2017-03-28 23:36:24 UTC
arm64 stable.
Comment 10 Matt Turner gentoo-dev 2017-03-30 02:39:13 UTC
alpha/ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-04-01 16:07:16 UTC
x86 stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-04-26 00:54:57 UTC
We can not wait any longer on sparc. Please stabilize, we are going to work on releasing the GLSA.
Comment 13 Agostino Sarubbo gentoo-dev 2017-04-27 11:23:58 UTC
sparc stable.

Maintainer(s), please cleanup.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 12:59:53 UTC
Cleanup PR:
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 19:46:41 UTC
This issue was resolved and addressed in
 GLSA 201706-11 at
by GLSA coordinator Kristian Fiskerstrand (K_F).