** Also affects: pcre2 (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: pcre2 (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1690484
Title:
pcre2: CVE-2017-7186 and CVE-2016-3191
Status in pcre2 package in Ubuntu:
Fix Released
Status in pcre2 source package in Xenial:
New
Bug description:
CVE-2017-7186
-------------
CVE-2017-7186 is the one known CVE fixed in Debian stretch that still affects
Ubuntu 16.04 LTS and 16.10. It was fixed in 17.04 already.
CVE-2016-3191
-------------
CVE-2016-3191 is the one known CVE fixed in Debian stretch that still affects
Ubuntu 16.04 LTS. It was fixed in 16.10 and newer already.
"The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and
pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an
(*ACCEPT) substring in conjunction with nested parentheses, which allows remote
attackers to execute arbitrary code or cause a denial of service (stack-based
buffer overflow) via a crafted regular expression, as demonstrated by a
JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542."
https://security-tracker.debian.org/tracker/CVE-2016-3191
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Fedora patch:
http://pkgs.fedoraproject.org/cgit/rpms/pcre2.git/tree/pcre2-10.21-Fix-workspace-overflow-for-deep-nested-parentheses-w.patch?id=fc9ba26
https://vcs.pcre.org/pcre2?view=revision&revision=489
Testing Done
------------
None
Packaging Info
--------------
The Debian maintainer uses dgit for the pcre packages.
You can run 'dgit clone pcre2' to get the packaging along with the extra
metadata that actually describes the changes that were done to the source
package. I did this and pushed it to
https://git.launchpad.net/~jbicha/ubuntu/+source/pcre2
But the Debian source package itself does not have a patch system
which makes it much more difficult for us to see what changes were
made and why. I think for maintainability with how Ubuntu packaging
generally works, it makes sense here to switch to 3.0 (quilt).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcre2/+bug/1690484/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
