[Bug 1549609] Re: Stack Corruption in PCRE 8.35
Tyler Hicks
tyhicks at canonical.com
Fri Feb 26 17:09:36 UTC 2016
Thanks for the bug report, Craig. We are aware of the issues fixed in
8.38 but we've prioritized them as 'low' since the issues require
software that passes untrusted regexes to PCRE. We don't feel like this
is common usage of PCRE.
We track these issues in the Ubuntu CVE Tracker:
http://people.canonical.com/~ubuntu-security/cve/pkg/pcre3.html
** Information type changed from Private Security to Public Security
** Package changed: php5 (Ubuntu) => pcre3 (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pcre3 in Ubuntu.
https://bugs.launchpad.net/bugs/1549609
Title:
Stack Corruption in PCRE 8.35
Status in pcre3 package in Ubuntu:
New
Bug description:
Various security issues have been fixed in PCRE since 8.35. Here is
an example of using a malicious pattern within the Ubuntu PHP5 package
that leads to stack corruption:
php5 -r 'preg_match("/(?(1)(()(?1)1)+)/","abcdef", $matches,
PREG_OFFSET_CAPTURE);'
Loading
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.38.tar.gz
with the upgrade-pcre.php script resolves this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcre3/+bug/1549609/+subscriptions
More information about the foundations-bugs
mailing list