Overview Details Repositories Revisions Requests Users Attributes Meta
Security update for pcre

This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a new version. Please
make sure that your software works with the updated version.

This version fixes a number of vulnerabilities that affect pcre
and applications using the libary when accepting untrusted input
as regular expressions or as part thereof. Remote attackers could
have caused the application to crash, disclose information or
potentially execute arbitrary code. These security issues were fixed:

- CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
- CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
- CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
- CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
- CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
- bsc#942865: heap overflow in compile_regex()
- CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
- CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
- bsc#957598: Various security issues
- CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
- CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
- CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
- CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
- CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
- CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
- CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
- CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
- CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
- CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
- CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
- CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
- CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
- CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
- CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
- CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
- CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
- CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

These non-security issues were fixed:
- JIT compiler improvements
- performance improvements
- The Unicode data tables have been updated to Unicode 7.0.0.

This update was imported from the SUSE:SLE-12:Update update project.

Fixed bugs
bnc#972127
[TRACKERBUG] FATE#320298: [ECO] Update pcre from 8.33 to 8.37 and follow the stable version in the future
bnc#971741
VUL-1: CVE-2016-3191: pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12)
bnc#942865
VUL-0: pcre: heap overflow in compile_regex()
bnc#960837
VUL-0: CVE-2016-1283: pcre: Heap buffer overflow in pcre_compile2 causes DoS
bnc#933288
VUL-1: CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() / compile_regex()
bnc#957566
VUL-0: CVE-2015-8380: pcre: heap overflow in pcre_exec
bnc#957567
VUL-0: CVE-2015-2327: pcre: mishandling of patterns with backreferences
bnc#957598
VUL-0: pcre: various security issues fixed in pcre 8.37 and 8.38 release
bnc#906574
VUL-1: CVE-2014-8964: pcre: heap buffer overflow
bnc#924960
VUL-0: CVE-2015-2325: pcre: heap buffer overflow in compile_branch()
bnc#933878
VUL-1: CVE-2015-3217: pcre: PCRE Library Call Stack Overflow Vulnerability in match()
bnc#936227
VUL-1: CVE-2015-5073: pcre: Library Heap Overflow Vulnerability in find_fixedlength()
bnc#957600
VUL-1: CVE-2015-2328: pcre: mishandled recursion patterns
CVE-2015-8381
CVE-2015-8382
CVE-2015-8383
CVE-2015-8384
CVE-2015-8385
CVE-2015-8386
CVE-2015-8387
CVE-2015-8388
CVE-2015-8389
CVE-2015-8390
CVE-2015-8391
CVE-2015-8392
CVE-2015-8393
CVE-2015-8394
CVE-2015-8395
CVE-2015-5073
CVE-2016-3191
CVE-2015-3210
CVE-2014-8964
CVE-2015-8380
CVE-2015-2327
CVE-2015-2325
CVE-2015-3217
CVE-2016-1283
CVE-2015-2328
fate#320298
Selected Binaries
openSUSE Build Service is sponsored by
Places