Hi On Mon, Mar 27, 2017 at 05:03:58PM +0100, p...@hermes.cam.ac.uk wrote: > On Sun, 26 Mar 2017, Salvatore Bonaccorso wrote: > > > I tried to follow the status for CVE-2017-7245 (#858678), and it looks > > they fail still on "current" revision from upstrema VCS. > > I believe I have fixed this at r1691. It was a one-character typo in > pcretest, causing an incorrect buffer length to be passed to > pcre_copy_substring() in 32-bit mode. In other words, a "user" error, > not a bug in the library.
Thanks! Confirmed for both #858678 and #858679 that http://vcs.pcre.org/pcre?view=revision&revision=1691 addressed the issue. Thanks a lot for your work and looking even at our downstream bugreports. To add a n ote on your previous comment: yes I think we are all aware that one should switch to pcre2, for Debian we are somehow in the process but the Stretch release at least still will have both and various packages depend on the 1.x version. Regards, Salvatore