Opened 8 years ago
Closed 8 years ago
Last modified 8 years ago
#6890 closed defect (fixed)
Vulnerabilities in pcre-8.37.
|Reported by:||Owned by:|
Pcre-8.37 contains multiple buffer-overruns, at least one has a CVE (CVE-2015-3210) and is apparently exploitable, see https://lists.exim.org/lurker/message/20150821.053519.d948ae8f.en.html - I confirm the example there crashes pcretest as claimed. These have been fixed upstream in what will become 8.38. Unfortunately, 8.38 has not yet been released.
Arch are patching to fix this - see https://bugs.archlinux.org/task/45207 and https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/pcre where they are using a 135K patch.
Fedora apply six patches totalling 21K, some of which are backported http://pkgs.fedoraproject.org/cgit/pcre.git/tree/.
I think we should go with the fedora patches ?
Change History (6)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
In fact, there is apparently no CVE attached to the example I, the CVEs are fixed by the first two fedora patches. Nevertheless, I think all should be fixed.
comment:3 by , 8 years ago
|Status:||new → assigned|
When I apply all the patched, the resulting diff is under 10K (I rechecked, thinking I must have missed something).
comment:4 by , 8 years ago
Thanks for doing this Ken.
comment:5 by , 8 years ago
|Status:||assigned → closed|
Fixed at r16369.
comment:6 by , 8 years ago
|Priority:||normal → high|
Thanks, Ken. And I changed the priority to high, because I am trying to make it easier for us and the user tracking what is security related ticket.
Please, if any of you find a ticket that I or everybody else created and has security fixes, then change the priority if it is not yet high, even after closed.
This makes it easier to track security items. I use a search for that, with tickets ordered by number, newest first:
Then I use it when I whant to update non-development machines.
I started thinking about that after one security was created, ages ago, like that, and after you, Ken, replied to many posts about what you thought could be done with older systems.
The CVE also applies back to at least pcre-8.35 (tested), probably earlier.