[Secure-testing-team] Bug#858230: pcre3: CVE-2017-7186
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 20 06:04:17 UTC 2017
Source: pcre3
Version: 2:8.39-2.1
Severity: important
Tags: patch security upstream fixed-upstream
Hi,
the following vulnerability was published for pcre3.
CVE-2017-7186[0]:
| libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote
| attackers to cause a denial of service (segmentation violation for read
| access, and application crash) by triggering an invalid Unicode
| property lookup.
The bug is in the 32-bit library. Quoting upstream:
This was a genuine bug in the 32-bit library. Thanks for finding it.
The crash was caused by trying to find a Unicode property for a code
value greater than 0x10ffff, the Unicode maximum, when running in
non-UTF mode (where character values can be up to 0xffffffff). The bug
was in both PCRE1 and PCRE2. I have fixed both of them.
I have not yet checked if pcre2 in the version in unstable is as well
affected, but I guess so and will open a separate bug for it.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7186
Please adjust the affected versions in the BTS as needed. Older version
yet unchecked.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list