pcre3 vulnerability CVE-2014, 2015
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| pcre3 (Ubuntu) |
Undecided
|
Seyeong Kim | ||
| Precise |
Undecided
|
Marc Deslauriers | ||
| Trusty |
Undecided
|
Seyeong Kim | ||
| Utopic |
Undecided
|
Seyeong Kim | ||
| Vivid |
Undecided
|
Seyeong Kim |
Bug Description
SRU Justification
[Impact]
CVE-2014-8964
CVE-2015-2325
CVE-2015-2326
CVE-2015-3210
CVE-2015-5073
[Test Case]
[Regression Potential]
[Other Info]
CVE-2014-8964
https:/
https:/
http://
Requires some heavy backporting to older releases, see: https:/
CVE-2015-2325
https:/
http://
http://
CVE-2015-2326
https:/
http://
http://
CVE-2015-3210
https:/
https:/
http://
CVE-2015-5073
https:/
https:/
http://
CVE References
information type: | Private Security → Public Security |
Changed in pcre3 (Ubuntu): | |
status: | New → Confirmed |
description: | updated |
Changed in pcre3 (Ubuntu Trusty): | |
status: | New → In Progress |
assignee: | nobody → Seyeong Kim (xtrusia) |
Changed in pcre3 (Ubuntu Utopic): | |
status: | New → In Progress |
assignee: | nobody → Seyeong Kim (xtrusia) |
Changed in pcre3 (Ubuntu): | |
assignee: | nobody → Seyeong Kim (xtrusia) |
assignee: | Seyeong Kim (xtrusia) → nobody |
description: | updated |
summary: |
- pcre3 vulnerability CVE-2014-8964 + pcre3 vulnerability CVE-2014, 2015 |
Changed in pcre3 (Ubuntu): | |
assignee: | nobody → Seyeong Kim (xtrusia) |
status: | Confirmed → In Progress |
Seyeong Kim (seyeongkim) wrote : | #4 |
Changed in pcre3 (Ubuntu Vivid): | |
status: | New → In Progress |
assignee: | nobody → Seyeong Kim (xtrusia) |
Seyeong Kim (seyeongkim) wrote : | #12 |
Seyeong Kim (seyeongkim) wrote : | #14 |
Seyeong Kim (seyeongkim) wrote : | #15 |
Marc Deslauriers (mdeslaur) wrote : | #16 |
Marc Deslauriers (mdeslaur) wrote : | #17 |
Forget my trusty comment, I wasn't looking at the right debdiff.
Marc Deslauriers (mdeslaur) wrote : | #18 |
The trusty debdiff looks good, but it's failing to compile for me with the following:
=======
Testsuite summary for PCRE 8.31
=======
# TOTAL: 5
# PASS: 4
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
Have you gotten it to compile successfully?
Seyeong Kim (seyeongkim) wrote : | #19 |
@mdeslaur
Nope. but I got an error in current trusty pkg without my patch
you could also check current trusty pkg
###################
Test 2: API, errors, internals, and non-Perl stuff (not UTF-8)
--- ./testdata/
+++ testtry 2015-07-24 10:54:21.374674333 +0900
@@ -5794,13 +5794,16 @@
No match
/a{11111111111
-Failed: number too big in {} quantifier at offset 22
+Capturing subpattern count = 0
+No options
+First char = 'a'
+No need char
/(){64294967295}/I
-Failed: number too big in {} quantifier at offset 14
+Failed: regular expression is too large at offset 15
/(){2,
-Failed: number too big in {} quantifier at offset 15
+Failed: numbers out of order in {} quantifier at offset 15
"(?i:a)
Capturing subpattern count = 1
Marc Deslauriers (mdeslaur) wrote : | #20 |
OK, I've fixed the test suite and have uploaded it to the PPA. I have also uploaded a package for precise.
I will release the packages as security updates next week once I have tested them.
Thanks!
Changed in pcre3 (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → In Progress |
Changed in pcre3 (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in pcre3 (Ubuntu Precise): | |
status: | In Progress → Fix Released |
Changed in pcre3 (Ubuntu Trusty): | |
status: | In Progress → Fix Released |
Changed in pcre3 (Ubuntu Utopic): | |
status: | In Progress → Fix Released |
Changed in pcre3 (Ubuntu Vivid): | |
status: | In Progress → Fix Released |
ACK on the wily and vivid debdiffs. I've slightly adjusted the vivid versioning and have removed the extra lines in the changelog.
Wily is uploaded to the archive, and vivid is uploaded here, awaiting the other releases:
https:/ /launchpad. net/~ubuntu- security- proposed/ +archive/ ubuntu/ ppa/+packages
For trusty, CVE-2014-8964 is missing. Red Hat has a backport available here: /bugzilla. redhat. com/show_ bug.cgi? id=1166147# c8
https:/
Are you planning on working on precise also?