Hi Matthew, On Mon, May 08, 2017 at 10:07:25AM +0100, Matthew Vernon wrote: > Hi, > > > the following vulnerability was published for pcre2. > > > > CVE-2017-8786[0]: > > | pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of > > | service (heap-based buffer overflow) or possibly have unspecified other > > | impact via a crafted regular expression. > > Upstream have on a number of occasions said that they don't really > consider problems in pcre2test.c a security issue for the library as a > whole.
Yes got that. I'm interested though to track it anyway, since apparently the reporter has requested a CVE for it (and got one assigned). > > > The issue is only in the pcre2test utility, so IMHO no immediate > > update is needed. But if you get an unblock from the release team, > > then even better and might already be fixed for stretch. > > My inclination is that it's OK for the next upstream pcre2 release which > will contain this fix. Sure thing, I was not implying an update is required for stretch. I only meant if you by other means plan another pcre2 update for stretch and this can be included then fine. Thanks for your work as usual! Salvatore
