Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#6890 closed defect (fixed)

Vulnerabilities in pcre-8.37.

Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 7.8
Component: BOOK Version: SVN
Severity: major Keywords:
Cc:

Description

Pcre-8.37 contains multiple buffer-overruns, at least one has a CVE (CVE-2015-3210) and is apparently exploitable, see https://lists.exim.org/lurker/message/20150821.053519.d948ae8f.en.html - I confirm the example there crashes pcretest as claimed. These have been fixed upstream in what will become 8.38. Unfortunately, 8.38 has not yet been released.

Arch are patching to fix this - see https://bugs.archlinux.org/task/45207 and https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/pcre where they are using a 135K patch.

Fedora apply six patches totalling 21K, some of which are backported http://pkgs.fedoraproject.org/cgit/pcre.git/tree/.

I think we should go with the fedora patches ?

Change History (6)

comment:1 by ken@…, 9 years ago

The CVE also applies back to at least pcre-8.35 (tested), probably earlier.

comment:2 by ken@…, 9 years ago

In fact, there is apparently no CVE attached to the example I, the CVEs are fixed by the first two fedora patches. Nevertheless, I think all should be fixed.

comment:3 by ken@…, 9 years ago

Owner: changed from blfs-book@… to ken@…
Status: newassigned

When I apply all the patched, the resulting diff is under 10K (I rechecked, thinking I must have missed something).

comment:4 by bdubbs@…, 9 years ago

Thanks for doing this Ken.

comment:5 by ken@…, 9 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r16369.

comment:6 by Fernando de Oliveira, 9 years ago

Priority: normalhigh

Thanks, Ken. And I changed the priority to high, because I am trying to make it easier for us and the user tracking what is security related ticket.

Please, if any of you find a ticket that I or everybody else created and has security fixes, then change the priority if it is not yet high, even after closed.

This makes it easier to track security items. I use a search for that, with tickets ordered by number, newest first:

http://wiki.linuxfromscratch.org/blfs/query?priority=high&desc=1&order=id

Then I use it when I whant to update non-development machines.

I started thinking about that after one security was created, ages ago, like that, and after you, Ken, replied to many posts about what you thought could be done with older systems.

Note: See TracTickets for help on using tickets.