[3.0] pcre: Multiple vulnerabilities (CVE-2015-8380, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE... CVE-2015-8392, CVE-2015-8393, CVE-2015-8394)
CVE-2015-8380: OOB write when pcre_exec() is called with ovecsize of 1.
Fixed In Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8380
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8380
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1565
CVE-2015-8381, CVE-2015-8395: Buffer overflow caused by duplicate named references
PCRE before 8.38 mishandles certain references, which allows remote
attackers to cause a denial of service or
possibly have unspecified other impact via a crafted regular expression.
This issue is similar to CVE-2015-8384 and CVE-2015-8392.
Fixed In Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8381
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1594
CVE-2015-8383: Buffer overflow caused by repeated conditional group
Fixed In Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8383
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1557
CVE-2015-8384: buffer overflow caused by recursive back reference by name within certain group
Fixed in Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8384
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8384
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1558
CVE-2015-8385: buffer overflow caused by named forward reference to duplicate group number
Fixed in Version:
pcre 8.38
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8385
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8385
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1559
CVE-2015-8386: Buffer overflow caused by lookbehind assertion
Fixed in Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8386
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8386
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1560
CVE-2015-8387: Integer overflow in subroutine calls
Fixed in Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8387
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8387
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1563
CVE-2015-8388: buffer overflow for forward reference within backward assertion with excess closing parenthesis
Fixed in Version:
pcre 8.38
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8388
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8388
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1571
CVE-2015-8389: infinite recursion in JIT compiler when processing certain patterns
Fixed In Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8389
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8389
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1577
CVE-2015-8390: uninitialized memory read triggered by malformed posix character class
Fixed In Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8390
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8390
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1578
CVE-2015-8391: inefficient posix character class syntax check
Fixed In Version:
pcre 8.38
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8391
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8391
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1579
CVE-2015-8392: buffer overflow caused by patterns with duplicated named groups with
Fixed In Version:
pcre 8.38
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8392
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8392
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1585
CVE-2015-8393: pcregrep in PCRE before 8.38 mishandles the -q option
for binary files or when used with -c or -l options,
incorrectly writing output to stdout, which might allow remote attackers
to obtain sensitive information via a crafted file.
Fixed In Version:
pcre 8.38
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8393
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8393
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1586
CVE-2015-8394: Integer overflow caused by missing check for certain conditions
Fixed In Version:
pcre 8.38
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8394
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8394
Patch:
http://vcs.pcre.org/pcre?view=revision&revision=1589
(from redmine: issue id 5470, created on 2016-04-21, closed on 2016-05-10)
- Relations:
- parent #5467 (closed)
- Changesets:
- Revision 1e470988 on 2016-05-09T12:17:34Z:
main/pcre: several fixes including CVEs
Fixes #5476
Fixes #5470
Fixes #5466
CVE-2016-1283
CVE-2016-3191
CVE-2015-8380
CVE-2015-8381
CVE-2015-8383
CVE-2015-8384
CVE-2015-8392
CVE-2015-8393
CVE-2015-8394
CVE-2015-8382
(cherry picked from commit ae07363ba5d06022ffa7d161ab322fae828b7600)
Conflicts:
main/pcre/APKBUILD