pcre3 vulnerability CVE-2014, 2015

Bug #1396768 reported by Pasi Sjöholm on 2014-11-26
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pcre3 (Ubuntu)
Undecided
Seyeong Kim
Precise
Undecided
Marc Deslauriers
Trusty
Undecided
Seyeong Kim
Utopic
Undecided
Seyeong Kim
Vivid
Undecided
Seyeong Kim
information type: Private Security → Public Security
Changed in pcre3 (Ubuntu):
status: New → Confirmed
Seyeong Kim (xtrusia) on 2015-07-06
description: updated
Changed in pcre3 (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Seyeong Kim (xtrusia)
Seyeong Kim (xtrusia) on 2015-07-06
Changed in pcre3 (Ubuntu Utopic):
status: New → In Progress
assignee: nobody → Seyeong Kim (xtrusia)
Seyeong Kim (xtrusia) on 2015-07-21
Changed in pcre3 (Ubuntu):
assignee: nobody → Seyeong Kim (xtrusia)
assignee: Seyeong Kim (xtrusia) → nobody
Seyeong Kim (xtrusia) on 2015-07-21
description: updated
summary: - pcre3 vulnerability CVE-2014-8964
+ pcre3 vulnerability CVE-2014, 2015
Changed in pcre3 (Ubuntu):
assignee: nobody → Seyeong Kim (xtrusia)
status: Confirmed → In Progress
Seyeong Kim (xtrusia) wrote :
Seyeong Kim (xtrusia) on 2015-07-22
Changed in pcre3 (Ubuntu Vivid):
status: New → In Progress
assignee: nobody → Seyeong Kim (xtrusia)
Seyeong Kim (xtrusia) wrote :
Seyeong Kim (xtrusia) wrote :
Seyeong Kim (xtrusia) wrote :
Marc Deslauriers (mdeslaur) wrote :

ACK on the wily and vivid debdiffs. I've slightly adjusted the vivid versioning and have removed the extra lines in the changelog.
Wily is uploaded to the archive, and vivid is uploaded here, awaiting the other releases:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

For trusty, CVE-2014-8964 is missing. Red Hat has a backport available here:
https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c8

Are you planning on working on precise also?

Marc Deslauriers (mdeslaur) wrote :

Forget my trusty comment, I wasn't looking at the right debdiff.

Marc Deslauriers (mdeslaur) wrote :

The trusty debdiff looks good, but it's failing to compile for me with the following:

============================================================================
Testsuite summary for PCRE 8.31
============================================================================
# TOTAL: 5
# PASS: 4
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0

Have you gotten it to compile successfully?

Seyeong Kim (xtrusia) wrote :

@mdeslaur

Nope. but I got an error in current trusty pkg without my patch

you could also check current trusty pkg

###################

Test 2: API, errors, internals, and non-Perl stuff (not UTF-8)
--- ./testdata/testoutput2 2012-06-02 02:53:58.000000000 +0900
+++ testtry 2015-07-24 10:54:21.374674333 +0900
@@ -5794,13 +5794,16 @@
 No match

 /a{11111111111111111111}/I
-Failed: number too big in {} quantifier at offset 22
+Capturing subpattern count = 0
+No options
+First char = 'a'
+No need char

 /(){64294967295}/I
-Failed: number too big in {} quantifier at offset 14
+Failed: regular expression is too large at offset 15

 /(){2,4294967295}/I
-Failed: number too big in {} quantifier at offset 15
+Failed: numbers out of order in {} quantifier at offset 15

 "(?i:a)(?i:b)(?i:c)(?i:d)(?i:e)(?i:f)(?i:g)(?i:h)(?i:i)(?i:j)(k)(?i:l)A\1B"I
 Capturing subpattern count = 1

Marc Deslauriers (mdeslaur) wrote :

OK, I've fixed the test suite and have uploaded it to the PPA. I have also uploaded a package for precise.

I will release the packages as security updates next week once I have tested them.

Thanks!

Changed in pcre3 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in pcre3 (Ubuntu):
status: In Progress → Fix Released
Changed in pcre3 (Ubuntu Precise):
status: In Progress → Fix Released
Changed in pcre3 (Ubuntu Trusty):
status: In Progress → Fix Released
Changed in pcre3 (Ubuntu Utopic):
status: In Progress → Fix Released
Changed in pcre3 (Ubuntu Vivid):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.