Your message dated Fri, 11 Sep 2015 18:36:34 +0000
with message-id <[email protected]>
and subject line Bug#794589: fixed in pcre3 2:8.35-7.2
has caused the Debian Bug report #794589,
regarding pcre3: pcre_exec does not fill offsets for certain regexps
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
794589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794589
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pcre3
Version: 2:8.35-7
Severity: important
Tags: security upstream patch
Control: forwarded -1 https://bugs.exim.org/show_bug.cgi?id=1537
Hi,
>From https://bugzilla.redhat.com/show_bug.cgi?id=1187225
> It was reported that pcre_exec in PHP pcre extension partially
> initialize a buffer when an invalid regex is processed, which can
> information disclosure.
A CVE was requested here:
http://www.openwall.com/lists/oss-security/2015/08/04/3
Upstream patch for this issue is included in 8.37 AFAIK, and found
here:
http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pcre3
Source-Version: 2:8.35-7.2
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Sep 2015 20:04:19 +0200
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep
libpcre16-3 libpcre32-3
Architecture: source
Version: 2:8.35-7.2
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 781795 783285 787433 794589
Description:
libpcre16-3 - Perl 5 Compatible Regular Expression Library - 16 bit runtime fil
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files
(ude (udeb)
libpcre32-3 - Perl 5 Compatible Regular Expression Library - 32 bit runtime fil
libpcrecpp0v5 - Perl 5 Compatible Regular Expression Library - C++ runtime
files
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.35-7.2) unstable; urgency=low
.
* Non-maintainer upload (with maintainer's permission).
* Add Fix-compiler-crash-misbehaviour-for-zero-repeated-gr.patch.
Fixes "PCRE Library Stack Overflow Vulnerability" (Upstream bug 1503)
* Add Fix-compile-time-loop-for-recursive-reference-within.patch.
Fixes "PCRE Call Stack Overflow Vulnerability" (Upstream bug 1515)
* Add 794589-information-disclosure.patch.
Fixes "pcre_exec does not fill offsets for certain regexps" leading to
information disclosure. (Closes: #794589)
* Add Fix-bad-compile-for-groups-like-2-0-1999.patch.
CVE-2015-2325: heap buffer overflow in compile_branch(). (Closes: #781795)
* Add Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch.
CVE-2015-2326: heap buffer overflow in pcre_compile2(). (Closes: #783285)
* Add Fix-buffer-overflow-for-named-recursive-back-referen.patch.
CVE-2015-3210: heap buffer overflow in pcre_compile2() /
compile_regex(). (Closes: #787433)
Checksums-Sha1:
d1afd74a080757a16f01c344b6d6195c6619f7a2 2074 pcre3_8.35-7.2.dsc
dd16fc1fa3c85fa3f5a313470af51ccec487a8d9 29105 pcre3_8.35-7.2.debian.tar.gz
Checksums-Sha256:
cb15b92f85a894cade62cf59892d989ace89d9c7500edda7ec8866a9acaea2f3 2074
pcre3_8.35-7.2.dsc
087754802f54f133a10576186ed4195d7cb39dfba0f2f9c94e20c31f13e25e9c 29105
pcre3_8.35-7.2.debian.tar.gz
Files:
7ce1fc5823e8125d4d8f1707a633dd1d 2074 libs optional pcre3_8.35-7.2.dsc
8254b0c3a0e9399a7a093537674fd185 29105 libs optional
pcre3_8.35-7.2.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJV8xmlAAoJEAVMuPMTQ89E1/YP/ix2ydDB9mMSm64KpcDWFAAe
vy8ojv2aEVM5h+S5eZv20Enx0oG9FORApm5J7R2FMjNNutAOc1zQxjoym8r6DkkD
vn2WK+OjOnEu7j78atM8QYoTG+kgC/thrT7Tn+hz+fjSHezvRXl4bGZ5x2oFvGmj
lgZTbc3dzY0WDXKZpy0WqsNshnyqcOqpZST81nT6XFwIyAqQryqHbM77j4VZ2vic
SsfETlOcxZCzYtzKh0pkVg7c9Xj0Tu+PWk5byUFynHdvPFnHqnADcy3Txnny46op
z427TSObS6cqhSAUkP1Mir7nGLS3eW1zSSiqPA/wDq9AjMvVPjKkgjrlRUCgNpQJ
haM8weHIIAlQblsv7zY67jBA0no/smVb4ig9d9PTWd0PDU26V28sHV2pS1AMvUOB
L0S+rhQw6EEX3C8sxcr3B0X6giPxiiqLFK8yqJbKyTsFKmCNNBh9maRBvW0BdWvX
Xn8B8kiD7kzVPLaxpt7xm85UtkeK9JWMCUEhrvN4ylAgt+CQAcfULNBeyZjC+S/v
xeJxYfITRB5WpwSVnzhf3Xx7XS4IBERLLXxWwqSyjDBun5XqPXyCzSPjAw1kvZ9X
G5QotasfCVPWgtkaGztKV5rYqJITNbnpSu87pVBdQ+EoL2L67F7qvI7bOydt9Xeu
pvl55R2tiFytxA0/axUf
=F5r0
-----END PGP SIGNATURE-----
--- End Message ---
