pcre2: CVE-2017-7186 and CVE-2016-3191

Bug #1690484 reported by Jeremy Bicha on 2017-05-13
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pcre2 (Ubuntu)
Medium
Unassigned

Bug Description

CVE-2017-7186
-------------
CVE-2017-7186 is the one known CVE fixed in Debian stretch that still affects Ubuntu 16.04 LTS and 16.10. It was fixed in 17.04 already.

CVE-2016-3191
-------------
CVE-2016-3191 is the one known CVE fixed in Debian stretch that still affects Ubuntu 16.04 LTS. It was fixed in 16.10 and newer already.

"The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542."

https://security-tracker.debian.org/tracker/CVE-2016-3191

https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Fedora patch:
http://pkgs.fedoraproject.org/cgit/rpms/pcre2.git/tree/pcre2-10.21-Fix-workspace-overflow-for-deep-nested-parentheses-w.patch?id=fc9ba26

https://vcs.pcre.org/pcre2?view=revision&revision=489

Testing Done
------------
None

Packaging Info
--------------
The Debian maintainer uses dgit for the pcre packages.

You can run 'dgit clone pcre2' to get the packaging along with the extra metadata that actually describes the changes that were done to the source package. I did this and pushed it to
https://git.launchpad.net/~jbicha/ubuntu/+source/pcre2

But the Debian source package itself does not have a patch system which makes it much more difficult for us to see what changes were made and why. I think for maintainability with how Ubuntu packaging generally works, it makes sense here to switch to 3.0 (quilt).

CVE References

Jeremy Bicha (jbicha) on 2017-05-13
information type: Public → Public Security
Tyler Hicks (tyhicks) wrote :

Hi Jeremy - Thanks for the bug report. We're aware of these CVEs and we're tracking them in the Ubuntu CVE Tracker:

  https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3191.html
  https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7186.html

Changed in pcre2 (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers