Debian Bug report logs -
#815921
pcre3: CVE-2016-3191: workspace overflow for (*ACCEPT) with deeply nested parentheses
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#815921; Package src:pcre3.
(Thu, 25 Feb 2016 18:36:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>.
(Thu, 25 Feb 2016 18:36:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Version: 8.02-1.1
Severity: important
Tags: security upstream patch fixed-upstream
Forwarded: https://bugs.exim.org/show_bug.cgi?id=1791
Hi
See https://bugs.exim.org/show_bug.cgi?id=1791 . Upstream commit is
http://vcs.pcre.org/pcre?view=revision&revision=1631 . No CVE is yet
assigned.
Regards,
Salvatore
Reply sent
to Matthew Vernon <matthew@debian.org>:
You have taken responsibility.
(Sat, 27 Feb 2016 16:54:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 27 Feb 2016 16:54:12 GMT) (full text, mbox, link).
Message #10 received at 815921-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.38-2
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 815921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthew Vernon <matthew@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Feb 2016 16:30:35 +0000
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: i386 source
Version: 2:8.38-2
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Matthew Vernon <matthew@debian.org>
Closes: 815921
Description:
libpcre16-3 - Perl 5 Compatible Regular Expression Library - 16 bit runtime fil
libpcre32-3 - Perl 5 Compatible Regular Expression Library - 32 bit runtime fil
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcrecpp0v5 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.38-2) unstable; urgency=low
.
* Apply upstream patch to fix workspace overflow for (*ACCEPT) with
deeply nested parentheses (Closes: #815921)
Checksums-Sha1:
054d47252bb1b6816e4dd7a4d3edb6cdb7174a08 2062 pcre3_8.38-2.dsc
bc146cf1228806ebf76107ae189b162dd89c85ad 30408 pcre3_8.38-2.debian.tar.gz
2f6501b40d7733abdea866f75be9feff9ebc195a 251072 libpcre16-3_8.38-2_i386.deb
6fb5d819db2f8d10ebd15d74108464c57a6cc7a7 772250 libpcre3-dbg_8.38-2_i386.deb
4ceaf85f7b78e9dc934235216c58f5a39a2a2ae0 639066 libpcre3-dev_8.38-2_i386.deb
00cdf8c0f4e8ef7a0378740cd5016b81b5fd0b71 149456 libpcre3-udeb_8.38-2_i386.udeb
3820410ea9525828bdc497e1edf6be513e6e624f 243108 libpcre32-3_8.38-2_i386.deb
17f8879d7cd0bbb60ce1fcadaf19903d60076934 329658 libpcre3_8.38-2_i386.deb
6c5c6f4a3e586872a505189ace96247479bc5d01 150634 libpcrecpp0v5_8.38-2_i386.deb
183566da933dacd7d732607f29dd65863ea13698 26822 pcregrep_8.38-2_i386.deb
Checksums-Sha256:
6a7912e70232ae1c75ddaf1939c45e76bba750193c65bca447d04aeb9570cc1c 2062 pcre3_8.38-2.dsc
8018dd65fb4875a0f8345b181ec21ce758da029bfc8c56f13d9d7f9aefc5113c 30408 pcre3_8.38-2.debian.tar.gz
acc2616a2d85f272d1e788cfdb4df91845b59420b82049d71065ea8034b2b7ae 251072 libpcre16-3_8.38-2_i386.deb
b13ac40a0a22704125a5c729e4d948eb934163333fe92add2aa60a12b58651a7 772250 libpcre3-dbg_8.38-2_i386.deb
650baceafdbbbfba1642d12320e20c773b74f455b21bc00567e889a7ddd40a44 639066 libpcre3-dev_8.38-2_i386.deb
f00bda5faf831d47d9b42cd09a6d6394d942ba1f31e6d2d741c08c6aec7078b2 149456 libpcre3-udeb_8.38-2_i386.udeb
4249c06ae91fb1c611c939d485f466a1103f9f6b39824e1120c50c871ff74aab 243108 libpcre32-3_8.38-2_i386.deb
dbe5d7e2d95f71fa69b7c9f7370fc038a1cda43ec88762921c4ec408a6719f28 329658 libpcre3_8.38-2_i386.deb
4178a3ec5dd43590a78a22ac9e244286a1b0d0f366f23ec15133497c7f901af9 150634 libpcrecpp0v5_8.38-2_i386.deb
2b6e718c8a1e2278eb4ef4f83d8d54dd451d1ab72f9ee8d49dd96bff415446cd 26822 pcregrep_8.38-2_i386.deb
Files:
c53ebd3d60e8743a0d6981ad3c070668 2062 libs optional pcre3_8.38-2.dsc
e48ffd11dae365a822aa8a59a129cc4c 30408 libs optional pcre3_8.38-2.debian.tar.gz
2de3387c5436a16456208f744b5fa21f 251072 libs optional libpcre16-3_8.38-2_i386.deb
665f0e4f1fbdeeb7a2e7bce2f305c437 772250 debug extra libpcre3-dbg_8.38-2_i386.deb
1a50448a35e00df30084acdc8ef74e0d 639066 libdevel optional libpcre3-dev_8.38-2_i386.deb
30240cbbabd91489d048cd37e4ac4b82 149456 debian-installer important libpcre3-udeb_8.38-2_i386.udeb
ed102bcaa43647a5379c54db018f8863 243108 libs optional libpcre32-3_8.38-2_i386.deb
a28f3af82484e5d91b1d32f747c8357e 329658 libs important libpcre3_8.38-2_i386.deb
5dd580c1e290f473958fd99a4eb02bec 150634 libs optional libpcrecpp0v5_8.38-2_i386.deb
1b7bd2e2599fa72b5d3ea7665634b1bf 26822 utils optional pcregrep_8.38-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJW0dIxAAoJEBL00hyPamPIcUEQAKhhy9y/D9KyTa3kZpaWBAq9
sGwk5v6ZDLuLIeKnj5hzCS/AbNY88WCXesTv4lGXo3Zy4ohiUwP12emslR6ARKkF
+TtCp1VCHF4aAO7aF1Ttf+pk5dRYI9OGkrr4Agdbe38nRot+9ZyriYmLqt70Brqp
GqY2Nbku/D11KhDhrFYFIQwanoBkCN/rpmVOpupRajdqwciu5o60A+YjlhQv7y0p
JHIIXMcNKMjuUn+Q1RtBSFKhI+PsLQNiIIY0xwMHJcfis11Uc9mbKhM4gSX97Y/m
nYR5bG1XoczUajubOragLHMVKLWi5uVhPTkccw5r7nBpIeytkjXsggE/RK5uO3or
0S4a9b3jAqYEbugVZa+qxblAmktO7gOUlwLxS0N/KEQyayJDvU64fcrAPoJUULD8
WWodUeOkyRZJaxo4ZDqol0veR6+QkcJ+lirEw5fEIKox30guVWci5Zma3z/Fif5+
uaX72X5k5fBRpKYf1V5AZ1aZ1y16ttlPNjJrd2KJ/x44nERAeTFil3g60YbHVlQ5
sH/Q9MIH5iCw0Ah3+LR6tv+YHMR1nUTfHXCLb7I3djrA3p0LVrlBpASXt6C9rXxd
pX2SykJ095dOojjJ3rpRFY2NZZFg+la3R7pViGX+pVfPsrU5v8NQXoL4YJ4WIFpU
n70W55qu8yNZq8A9Jaz6
=5Q19
-----END PGP SIGNATURE-----
Changed Bug title to 'pcre3: CVE-2016-3191: workspace overflow for (*ACCEPT) with deeply nested parentheses' from 'pcre3: workspace overflow for (*ACCEPT) with deeply nested parentheses'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 18 Mar 2016 05:51:05 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 25 Mar 2016 19:30:26 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 25 Mar 2016 19:30:26 GMT) (full text, mbox, link).
Message #17 received at 815921-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.35-3.3+deb8u3
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 815921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Mar 2016 07:05:50 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source
Version: 2:8.35-3.3+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 809706 815921
Description:
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.35-3.3+deb8u3) jessie; urgency=medium
.
* Non-maintainer upload.
* Refresh CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch.
Drop addition of "error text" for error ERR86 in pcre_compile.c. This
change belongs to upstream revision 1481 (Give error for \x{} and \o{}).
* Add 0001-Give-error-for-x-and-o.patch.
Give error for \x{} and \o{}.
* Add 0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch.
CVE-2016-3191: workspace overflow for (*ACCEPT) with deeply nested
parentheses. (Closes: #815921)
* Add 0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch.
CVE-2016-1283: heap buffer overflow in handling of duplicate named
groups. (Closes: #809706)
Checksums-Sha1:
bb755b9c0b041140350300077b5ea261304fc236 1985 pcre3_8.35-3.3+deb8u3.dsc
459b1270648b1610c55cf4c9094c9077c51eaa2b 36953 pcre3_8.35-3.3+deb8u3.debian.tar.gz
Checksums-Sha256:
f0a4989ea94b7ee632798d17887e51633feb68b30289a38154fff246327bcc92 1985 pcre3_8.35-3.3+deb8u3.dsc
576aa11e22988bd2276c4c23f125d2318fc6dbcd53181fece82b14b85827bc51 36953 pcre3_8.35-3.3+deb8u3.debian.tar.gz
Files:
0c35f5f564ecfe05e26fbf4485ac2a8f 1985 libs optional pcre3_8.35-3.3+deb8u3.dsc
28801f7b9f42520a207d0563b7693765 36953 libs optional pcre3_8.35-3.3+deb8u3.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW9WmwAAoJEAVMuPMTQ89EgY0P/AyZ5IgPgiTy+grWAyhRgFnZ
DuO+B+UTQJI4PBFXsMSlGJKaxDCZPXyByXcA4mBhejFGb/c+5yKN3OyAWqhn6Ikd
nQyQDwBOvoEiTpnzQbiU7b4lkjvJV2EAyncGg2fMd53mDulD7sgQSjdvyMvZvT85
9w6w8VT3JapstfwHPFKtyWdb4ZMUDirj9QRhg175/mH6Da6lWqK0KzIeq3drLT01
5b8RrTgpG/W2wrWtCDU84E5+087WFNyjjcrFhUGDxEEMeX9IIwHH38BEnAPHu4eb
Fd8+lBJe1dqZHv/6FXs24xwQuQz09tywavStkcZSKFfp9VaeAMqw9V3xh76XbaYV
pdnSeNFfF6xVsT2NKujeA9TpCj2WPALVvC7bLhoNHD2akDlCqu6/9Bx18g7ej5q3
z/shgNX4W+JyNtN1gQTIPZPIWTmWqdiPKGNq6+iZZac1bq57RIaTClJARTZKWrQI
jp8jCvGhNl28tA6oXw3rKDW0/pprNuSzkrOoOK6aQI7ZTdcCmlCPx6aebuVMeiRu
wtBI9vp1fpFl80sgx+eYW6cKvJOjqbtnREkqrSlNYzef3XPrmTkeTMx7WNIpIwkY
3qbZ9axd0PiJ9zAA3zd2013dPb024ENYxuL5seaBIIfV+19Ai2lZYghysc7zYn1r
FypYmUvJjZShU07zojVv
=CzJj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 25 May 2016 07:27:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 6 11:03:45 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.