Bug #1396768 “pcre3 vulnerability CVE-2014, 2015” : Bugs : pcre3 package : Ubuntu

Bug Description

SRU Justification

[Impact]

CVE-2014-8964
CVE-2015-2325
CVE-2015-2326
CVE-2015-3210
CVE-2015-5073

[Test Case]

[Regression Potential]

[Other Info]

CVE-2014-8964

https://security-tracker.debian.org/tracker/CVE-2014-8964
https://bugzilla.redhat.com/show_bug.cgi?id=1166147
http://bugs.exim.org/show_bug.cgi?id=1546

Requires some heavy backporting to older releases, see: https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c2.

CVE-2015-2325

https://security-tracker.debian.org/tracker/CVE-2015-2325
http://bugs.exim.org/show_bug.cgi?id=1591
http://vcs.pcre.org/pcre?view=revision&revision=1528

CVE-2015-2326

https://security-tracker.debian.org/tracker/CVE-2015-2326
http://bugs.exim.org/show_bug.cgi?id=1592
http://vcs.pcre.org/pcre?view=revision&revision=1529

CVE-2015-3210

https://security-tracker.debian.org/tracker/CVE-2015-3210
https://bugs.exim.org/show_bug.cgi?id=1636
http://vcs.pcre.org/pcre?view=revision&revision=1558

CVE-2015-5073

https://security-tracker.debian.org/tracker/CVE-2015-5073
https://bugs.exim.org/show_bug.cgi?id=1651
http://vcs.pcre.org/pcre?view=revision&revision=1571

See original description

Add tags Tag help

CVE References

2014-8964

Seth Arnold (seth-arnold) on 2014-11-26

information type:	Private Security → Public Security
Changed in pcre3 (Ubuntu):
status:	New → Confirmed

Seyeong Kim (seyeongkim) on 2015-07-06

description:	updated
Changed in pcre3 (Ubuntu Trusty):
status:	New → In Progress
assignee:	nobody → Seyeong Kim (xtrusia)

Seyeong Kim (seyeongkim) on 2015-07-06

Changed in pcre3 (Ubuntu Utopic):
status:	New → In Progress
assignee:	nobody → Seyeong Kim (xtrusia)

Seyeong Kim (seyeongkim) on 2015-07-21

Changed in pcre3 (Ubuntu):
assignee:	nobody → Seyeong Kim (xtrusia)
assignee:	Seyeong Kim (xtrusia) → nobody

Seyeong Kim (seyeongkim) on 2015-07-21

description:	updated
summary:	- pcre3 vulnerability CVE-2014-8964 + pcre3 vulnerability CVE-2014, 2015
Changed in pcre3 (Ubuntu):
assignee:	nobody → Seyeong Kim (xtrusia)
status:	Confirmed → In Progress

Seyeong Kim (seyeongkim) wrote on 2015-07-21:

wily-pcre3-cve-2015.debdiff Edit (25.8 KiB, text/plain)

Seyeong Kim (seyeongkim) on 2015-07-22

Changed in pcre3 (Ubuntu Vivid):
status:	New → In Progress
assignee:	nobody → Seyeong Kim (xtrusia)

Seyeong Kim (seyeongkim) wrote on 2015-07-22:

#12

trusty-pcre3-cve-2014,2015.debdiff Edit (22.8 KiB, text/plain)

Seyeong Kim (seyeongkim) wrote on 2015-07-22:

#14

vivid-pcre3-cve-2015.debdiff Edit (26.3 KiB, text/plain)

Seyeong Kim (seyeongkim) wrote on 2015-07-22:

#15

utopic-pcre3-cve-2014,2015.debdiff Edit (27.7 KiB, text/plain)

Marc Deslauriers (mdeslaur) wrote on 2015-07-23:

#16

ACK on the wily and vivid debdiffs. I've slightly adjusted the vivid versioning and have removed the extra lines in the changelog.
Wily is uploaded to the archive, and vivid is uploaded here, awaiting the other releases:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

For trusty, CVE-2014-8964 is missing. Red Hat has a backport available here:
https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c8

Are you planning on working on precise also?

Marc Deslauriers (mdeslaur) wrote on 2015-07-23:

#17

Forget my trusty comment, I wasn't looking at the right debdiff.

Marc Deslauriers (mdeslaur) wrote on 2015-07-23:

#18

The trusty debdiff looks good, but it's failing to compile for me with the following:

============================================================================
Testsuite summary for PCRE 8.31
============================================================================
# TOTAL: 5
# PASS: 4
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0

Have you gotten it to compile successfully?

Seyeong Kim (seyeongkim) wrote on 2015-07-24:

#19

@mdeslaur

Nope. but I got an error in current trusty pkg without my patch

you could also check current trusty pkg

###################

Test 2: API, errors, internals, and non-Perl stuff (not UTF-8)
--- ./testdata/testoutput2 2012-06-02 02:53:58.000000000 +0900
+++ testtry 2015-07-24 10:54:21.374674333 +0900
@@ -5794,13 +5794,16 @@
No match

/a{11111111111111111111}/I
-Failed: number too big in {} quantifier at offset 22
+Capturing subpattern count = 0
+No options
+First char = 'a'
+No need char

/(){64294967295}/I
-Failed: number too big in {} quantifier at offset 14
+Failed: regular expression is too large at offset 15

/(){2,4294967295}/I
-Failed: number too big in {} quantifier at offset 15
+Failed: numbers out of order in {} quantifier at offset 15

"(?i:a)(?i:b)(?i:c)(?i:d)(?i:e)(?i:f)(?i:g)(?i:h)(?i:i)(?i:j)(k)(?i:l)A\1B"I
Capturing subpattern count = 1

Marc Deslauriers (mdeslaur) wrote on 2015-07-24:

#20

OK, I've fixed the test suite and have uploaded it to the PPA. I have also uploaded a package for precise.

I will release the packages as security updates next week once I have tested them.

Thanks!

Changed in pcre3 (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in pcre3 (Ubuntu):
status:	In Progress → Fix Released

Marc Deslauriers (mdeslaur) on 2015-07-29

Changed in pcre3 (Ubuntu Precise):
status:	In Progress → Fix Released
Changed in pcre3 (Ubuntu Trusty):
status:	In Progress → Fix Released
Changed in pcre3 (Ubuntu Utopic):
status:	In Progress → Fix Released
Changed in pcre3 (Ubuntu Vivid):
status:	In Progress → Fix Released

Marc Deslauriers (mdeslaur) wrote on 2015-07-29:

#21

http://www.ubuntu.com/usn/usn-2694-1/

Ubuntu
pcre3 package

pcre3 vulnerability CVE-2014, 2015

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntupcre3 package

pcre3 vulnerability CVE-2014, 2015

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
pcre3 package