Source: pcre3 Version: 2:8.35-3.3 Severity: important Tags: security upstream
Hi, the following vulnerability was published for pcre3. CVE-2015-2326[0]: heap buffer overflow in pcre_compile2() If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. It seems to be caused as side effect from some refactoring between 8.33 and 8.35, and an invalid can be reproduced. Upstream report [1] has a detailed explanation. | ==15750== Memcheck, a memory error detector | ==15750== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. | ==15750== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info | ==15750== Command: .libs/pcretest | ==15750== | PCRE version 8.35 2014-04-04 | | re> /((?+1)(\1))/ | ==15750== Invalid read of size 1 | ==15750== at 0x4E3863D: could_be_empty_branch (pcre_compile.c:2395) | ==15750== by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468) | ==15750== by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468) | ==15750== by 0x4E4523C: pcre_compile2 (pcre_compile.c:9462) | ==15750== by 0x4E439B3: pcre_compile (pcre_compile.c:8734) | ==15750== by 0x10EC7B: main (pcretest.c:4023) | ==15750== Address 0x58a39a2 is 32,914 bytes inside an unallocated block of size 4,093,648 in arena "client" | ==15750== | data> abc | No match | data> | ==15750== | ==15750== HEAP SUMMARY: | ==15750== in use at exit: 0 bytes in 0 blocks | ==15750== total heap usage: 9 allocs, 9 frees, 133,767 bytes allocated | ==15750== | ==15750== All heap blocks were freed -- no leaks are possible | ==15750== | ==15750== For counts of detected and suppressed errors, rerun with: -v | ==15750== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-2326 [1] http://bugs.exim.org/show_bug.cgi?id=1592 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org