Hi Matthew, On Thu, Apr 23, 2015 at 06:21:27PM +0100, Matthew Vernon wrote: > Hi, > > On 03/04/15 10:30, Salvatore Bonaccorso wrote: > > > the following vulnerability was published for pcre3. > > > > CVE-2015-2325[0]: > > heap buffer overflow in compile_branch() > > Thanks for the bug report. > > > I was not able to reproduce the actual overflow with the reproducer, > > but comment #1 [1] in upstream bug report suggest that the bug is > > present. With the attached (backported) but only lightly tested patch > > the issue running the reproducer goes away. > > I've only just taken over maintaining pcre3; my feeling is that at this > point in the release cycle I shouldn't be trying to get a freeze > exception in a widely-depended-upon library for a severity:important bug.
Yes defintively, the release is now really close and this can deferred. Btw, there is as well https://security-tracker.debian.org/tracker/CVE-2015-2326 (but for this one I have not started any investigation, so would be great if you can have a look at this as wel if possible). Thanks for your work! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
