[pcre3] several security issues in Perl-Compatible Regular Expression library

I'm sorry and guess that this bug shouldn't point to CVE-2007-5116.

See also Bug #160693 .

Thanks for the report! We're currently testing upgrades to 7.4; updates should be available shortly.

OT:
Do I need better glasses, or is "Remove CVE link" a new feature?

7.3 in Hardy is not vulnerable. Marking "Fix Released" there. As for the other pcre3, I have uploaded 7.4 versions into -proposed for additional testing. So far, I have no found an regressions. I would like to see the pcre3 updates tested more widely before pushing this into -security. Since this is a full-version update, I want to be cautious.

Fix accepted into dapper-proposed

Accepted into edgy-proposed.

Accepted into feisty-proposed.

Accepted into gutsy-proposed.

Running Kubuntu Gutsy with the following rdepends on libpcre3 installed:

ii apache2-utils 2.2.4-3build1 utility programs for webservers
ii digikam 2:0.9.2-2ubuntu2 digital photo management application for KDE
ii kaddressbook 4:3.5.7enterprise20070926-0ubuntu2 KDE NG addressbook application
ii kaffeine 0.8.5-0ubuntu1 versatile media player for KDE 3
ii kchmviewer 3.1.2-0ubuntu1 CHM viewer for KDE
ii kdelibs4c2a 4:3.5.8-0ubuntu3.1 core libraries and binaries for all KDE appl
ii kdelibs4c2a 4:3.5.8-0ubuntu3.1 core libraries and binaries for all KDE appl
ii kmail 4:3.5.7enterprise20070926-0ubuntu2 KDE Email client
ii kmobiletools 0.4.3.3-0ubuntu1 KDE application for controlling your mobile
ii kontact 4:3.5.7enterprise20070926-0ubuntu2 KDE pim application
ii kopete 4:3.5.8-0ubuntu2 instant messenger for KDE
ii kopete-otr 0.6-0ubuntu1 Off-The-Record encryption for Kopete
ii ktorrent 2.2.1-0ubuntu3 BitTorrent client for KDE
ii nmap 4.20-2 The Network Mapper
ii wireshark-common 0.99.6rel-3 network traffic analyser (common files)

The only couple of things that are somewhat odd since my update to the proposed pcre3 is that ktorrent would seem to eat a lot more processing than usual, giving the appearance of a hanged app; the same in kopete (although it happens less, but then again I also use that package less than the former.) But then again, they may also be issues unrelated to this.

Testers can use "apt-cache --installed rdepends libpcre3" to check which installed packages depend on pcre3, so you know a bit about what to test. I note over a dozen packages on one of my machines. There are 183 in all (minus some odd dups?), and some are libraries that are used by other packages :-)

Works ok so far on Dapper with these applications (but it was only lightly tested):
  exim4-daemon-light
  nmap
  exim4-daemon-light
  epiphany-extensions

Here is a list of source packages from main that are depend on libpcre3 on Dapper:
analog
apache2
epiphany-extensions
exim4
eximon4
kdeedu (libkdeedu3, kalzium, kstars)
kdebindings (libkjsembed1)
kdelibs
kdenetwork (kopete)
kdewebdev (klinkstatus)
kdeaddons (konq-plugins, noatun-plugins)
ktorrent
nmap
pan
php5
postfix-pcre
quanta
xfce4-verve-plugin
zsh
zsh-beta

Analysis shows these source packages should not have to be tested on Dapper, as they don't actually use pcre:
kdeaddons
kdebindings
kdeedu
kdewebdev
ktorrent

To be doubly sure, I did:
grep -ri pcre <source dir>

kdebindings references pcre in kjsembed files:
qjsembed.nsi (win32)
qjsembed.pro (win32)
kjsembed.pro (unix) says to link against it, but nothing uses it directly

kdewebdev has 'pcre.tag' in /kdewebdev-3.5.2/quanta/data/dtep/php/pcre.tag but doesn't actually use it.

The version 7.4 update has published now.