Bug#858233: marked as done (pcre2: CVE-2017-7186)

Tue, 21 Mar 2017 16:09:22 -0700 

Your message dated Tue, 21 Mar 2017 23:06:01 +0000
with message-id <[email protected]>
and subject line Bug#858233: fixed in pcre2 10.22-3
has caused the Debian Bug report #858233,
regarding pcre2: CVE-2017-7186
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
858233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858233
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: pcre3
Version: 2:8.39-2.1
Severity: important
Tags: patch security upstream fixed-upstream

Hi,

the following vulnerability was published for pcre3.

CVE-2017-7186[0]:
| libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote
| attackers to cause a denial of service (segmentation violation for read
| access, and application crash) by triggering an invalid Unicode
| property lookup.

The bug is in the 32-bit library. Quoting upstream:

This was a genuine bug in the 32-bit library. Thanks for finding it.
The crash was caused by trying to find a Unicode property for a code
value greater than 0x10ffff, the Unicode maximum, when running in
non-UTF mode (where character values can be up to 0xffffffff). The bug
was in both PCRE1 and PCRE2. I have fixed both of them.

I have not yet checked if pcre2 in the version in unstable is as well
affected, but I guess so and will open a separate bug for it.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7186
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7186

Please adjust the affected versions in the BTS as needed. Older version
yet unchecked.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: pcre2
Source-Version: 10.22-3

We believe that the bug you reported is fixed in the latest version of
pcre2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthew Vernon <[email protected]> (supplier of updated pcre2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 21 Mar 2017 22:33:58 +0000
Source: pcre2
Binary: libpcre2-8-0 libpcre2-16-0 libpcre2-32-0 libpcre2-posix0 libpcre2-dev 
libpcre2-dbg pcre2-utils
Architecture: i386 source
Version: 10.22-3
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <[email protected]>
Changed-By: Matthew Vernon <[email protected]>
Closes: 858233
Description: 
 libpcre2-16-0 - New Perl Compatible Regular Expression Library - 16 bit 
runtime f
 libpcre2-32-0 - New Perl Compatible Regular Expression Library - 32 bit 
runtime f
 libpcre2-8-0 - New Perl Compatible Regular Expression Library- 8 bit runtime 
fil
 libpcre2-dbg - New Perl Compatible Regular Expression Library - debug symbols
 libpcre2-dev - New Perl Compatible Regular Expression Library - development 
file
 libpcre2-posix0 - New Perl Compatible Regular Expression Library - 
posix-compatible
 pcre2-utils - New Perl Compatible Regular Expression Library - utilities
Changes:
 pcre2 (10.22-3) unstable; urgency=medium
 .
   * CVE-2017-7186: invalid Unicode property lookup may cause denial of
     service (Closes: #858233)
Checksums-Sha1: 
 4d33f9ec5957daab2484aff0985c35efd0f308a3 2041 pcre2_10.22-3.dsc
 2ea92482ca2e59979c80d9bc248bbb38f6a86912 4857 pcre2_10.22-3.diff.gz
 8e0f9af9b9d776037c8a1f813f46f90cddf6e69f 173814 libpcre2-16-0_10.22-3_i386.deb
 de7e7cec3e9339851c1ef6eb9bac9bc2e8e6557a 164400 libpcre2-32-0_10.22-3_i386.deb
 10e5893e4325fb1f96252783ba1b6c8be27ed664 181606 libpcre2-8-0_10.22-3_i386.deb
 f13004e208622598a78a79199f3d1c7ee071e036 1101304 libpcre2-dbg_10.22-3_i386.deb
 78336dd7c530a6d3196dd1812e828b7e13abc6f1 602972 libpcre2-dev_10.22-3_i386.deb
 4bdc4afab039752e42aa65b76cc2977ca5d8ba93 22152 libpcre2-posix0_10.22-3_i386.deb
 1f48e4f8da13085939c8be5d9954573f796930c0 109300 pcre2-utils_10.22-3_i386.deb
 38671bc53d3b953eda703fb5159f45db5ff35724 5913 pcre2_10.22-3_i386.buildinfo
Checksums-Sha256: 
 c4458656524614e1bbe2992c5452c04eb971c22a2b27e64d64e1034ddcc2562b 2041 
pcre2_10.22-3.dsc
 d48a0afdd9e84aad0fcf2dc0d5e4a66fb2872cce565519371c4882235aad76de 4857 
pcre2_10.22-3.diff.gz
 2cc674dc7a7836bc690dcde866cacb69a9cd78d21000a97c079a0258a19a87dd 173814 
libpcre2-16-0_10.22-3_i386.deb
 5898ff9ce9b7eda40de422fc5db8341f2528cf7a23bf965f9ba63e928c906df6 164400 
libpcre2-32-0_10.22-3_i386.deb
 270c845c7fd6bcc2249b5487b2eabcf2423584f78c9d49ae2aece4270fce1886 181606 
libpcre2-8-0_10.22-3_i386.deb
 184180ef37963079eab8350447750551ebddd566900998424bad7242e3188745 1101304 
libpcre2-dbg_10.22-3_i386.deb
 3cc1da66354f554cb1f4426244fbff4a8f69bcfe529208e75f12ed0f9ebec56d 602972 
libpcre2-dev_10.22-3_i386.deb
 77565a6551da92a1c83403a222c787fe6e12cc9ea573443bcf35804bcdc5b384 22152 
libpcre2-posix0_10.22-3_i386.deb
 aaadfd2ef218ee17031107e4516726068fe9c621e69506706f8234c0885aef3f 109300 
pcre2-utils_10.22-3_i386.deb
 b61363181ec0571812b203570cee80e4d20957e2963795339cee0476fd43f231 5913 
pcre2_10.22-3_i386.buildinfo
Files: 
 77d609e5efe5a2ca2ab7a7cbd10150f1 2041 libs optional pcre2_10.22-3.dsc
 b723fa6bd1ea8991042670d2c5ee9d1f 4857 libs optional pcre2_10.22-3.diff.gz
 26a6c7fc0874917f14ece7b55b1ce91e 173814 libs optional 
libpcre2-16-0_10.22-3_i386.deb
 d79f2929b90afcd119b338d1febd19e9 164400 libs optional 
libpcre2-32-0_10.22-3_i386.deb
 44a99cb3c73adb9081d98ff7a481a956 181606 libs optional 
libpcre2-8-0_10.22-3_i386.deb
 71599237e3f960d41529501dfdee8378 1101304 debug extra 
libpcre2-dbg_10.22-3_i386.deb
 bce651f41f5a14eab2895e378f0334d6 602972 libdevel optional 
libpcre2-dev_10.22-3_i386.deb
 2cde2070ee2e49173262c2c34f460e89 22152 libs optional 
libpcre2-posix0_10.22-3_i386.deb
 59a3b87174c532bda583d8e6aff410b9 109300 utils optional 
pcre2-utils_10.22-3_i386.deb
 5233536cbab092eeff0d169f02cf2f89 5913 libs optional 
pcre2_10.22-3_i386.buildinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJY0axBAAoJEBL00hyPamPIVEEP+QEz1mYtjoQsKuHXUDM65DDR
VFP+ROofP3xPo8urqZjKVuUb4HzU2XpS1q8cxQh1/v3ChtSz19TMWAnZUzsxhshT
+V8R9QzXHYbfgOP8J+/DkQ4zm/0m+oyotH4p0NM3k9L9+VRf3yMWJ6Do5gaSzku2
dITvKvl3AkV3/szV5+VCM0mu1R3QNkGe2Qm5RbfphesN1fNYP4XBjd6b5VaUbDI3
UbWfbMagLTeaxO+fjvL+FtvmjfMM9Ol444dPSOXeTRyUt5yC71bKlNUm/qnNNMQC
rbQIxq96gYue2gNEzjhmFyo/yYRkGOSshMyef4mgL8Azbn9vCxeOndPL2Ui/yIhb
0Hn7V72I6q+DxuZ3U24d/ifYly9PjootipqJxCMpsWtCDeVdOCLPCBz3SMte5S3Q
SpAnp/zsc+40VDfkRuyfS2ySZB6A536yFKijRVAEaWA99h0ZGhhoNjoCrR8fEgeG
br/IqRkzhGUqSludBO2sCAvTYIwLXWByhIWpq/YODM0/FaY0prwpJIUVJMlxyQ8W
u5Y9R9HG76Hxh7EaXF3aYtAjdJO5z2FkK6w63GusBRIdjp79f/yqhbGSMsa9UmSJ
feh8lblZ/Fo2tVrqbEzhuJzuNwM1dQeiV4UjVuFV11Kwz+pZ2ix42Odg/RJHp3+g
b7M2DxX1Wn8HqCEAtjkd
=feLQ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to