Vulnerabilities in pcre-8.37.

[ken@…]

Pcre-8.37 contains multiple buffer-overruns, at least one has a CVE (CVE-2015-3210) and is apparently exploitable, see ​https://lists.exim.org/lurker/message/20150821.053519.d948ae8f.en.html - I confirm the example there crashes pcretest as claimed. These have been fixed upstream in what will become 8.38. Unfortunately, 8.38 has not yet been released.

Arch are patching to fix this - see ​https://bugs.archlinux.org/task/45207 and ​https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/pcre where they are using a 135K patch.

Fedora apply six patches totalling 21K, some of which are backported ​http://pkgs.fedoraproject.org/cgit/pcre.git/tree/.

I think we should go with the fedora patches ?

[ken@…]

The CVE also applies back to at least pcre-8.35 (tested), probably earlier.

[ken@…]

In fact, there is apparently no CVE attached to the example I, the CVEs are fixed by the first two fedora patches. Nevertheless, I think all should be fixed.

[ken@…]

When I apply all the patched, the resulting diff is under 10K (I rechecked, thinking I must have missed something).

[bdubbs@…]

Thanks for doing this Ken.

[ken@…]

Fixed at r16369.

[Fernando de Oliveira]

Thanks, Ken. And I changed the priority to high, because I am trying to make it easier for us and the user tracking what is security related ticket.

Please, if any of you find a ticket that I or everybody else created and has security fixes, then change the priority if it is not yet high, even after closed.

This makes it easier to track security items. I use a search for that, with tickets ordered by number, newest first:

​http://wiki.linuxfromscratch.org/blfs/query?priority=high&desc=1&order=id

Then I use it when I whant to update non-development machines.

I started thinking about that after one security was created, ages ago, like that, and after you, Ken, replied to many posts about what you thought could be done with older systems.