On 23/04/15 18:30, Salvatore Bonaccorso wrote: > Hi Matthew, > > On Thu, Apr 23, 2015 at 06:21:27PM +0100, Matthew Vernon wrote: >> Hi, >> >> On 03/04/15 10:30, Salvatore Bonaccorso wrote: >> >>> the following vulnerability was published for pcre3. >>> >>> CVE-2015-2325[0]: >>> heap buffer overflow in compile_branch() >> >> Thanks for the bug report. >> >>> I was not able to reproduce the actual overflow with the reproducer, >>> but comment #1 [1] in upstream bug report suggest that the bug is >>> present. With the attached (backported) but only lightly tested patch >>> the issue running the reproducer goes away. >> >> I've only just taken over maintaining pcre3; my feeling is that at this >> point in the release cycle I shouldn't be trying to get a freeze >> exception in a widely-depended-upon library for a severity:important bug. > > Yes defintively, the release is now really close and this can > deferred. > > Btw, there is as well > https://security-tracker.debian.org/tracker/CVE-2015-2326 (but for > this one I have not started any investigation, so would be great if > you can have a look at this as wel if possible).
My version of pcregrep simply objects to the regexes supplied as POC in that bug report: mcv21@pick:~$ pcregrep '/((?+1)(\1))/' foo.txt pcregrep: Error while studying regex: internal error: missing capturing bracket Regards, Matthew -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
