Ubuntu
pcre3 package

pcre3 vulnerability CVE-2014, 2015

Vivid (15.04)
Bug #1396768

Bug #1396768 reported by Pasi Sjöholm on 2014-11-26

264

This bug affects 2 people

	Status	Importance	Assigned to
pcre3 (Ubuntu)	Fix Released	Undecided	Seyeong Kim
Precise	Fix Released	Undecided	Marc Deslauriers
Trusty	Fix Released	Undecided	Seyeong Kim
Utopic	Fix Released	Undecided	Seyeong Kim
Vivid	Fix Released	Undecided	Seyeong Kim

Bug Description

SRU Justification

[Impact]

CVE-2014-8964
CVE-2015-2325
CVE-2015-2326
CVE-2015-3210
CVE-2015-5073

[Test Case]

[Regression Potential]

[Other Info]

CVE-2014-8964

https://security-tracker.debian.org/tracker/CVE-2014-8964
https://bugzilla.redhat.com/show_bug.cgi?id=1166147
http://bugs.exim.org/show_bug.cgi?id=1546

Requires some heavy backporting to older releases, see: https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c2.

CVE-2015-2325

https://security-tracker.debian.org/tracker/CVE-2015-2325
http://bugs.exim.org/show_bug.cgi?id=1591
http://vcs.pcre.org/pcre?view=revision&revision=1528

CVE-2015-2326

https://security-tracker.debian.org/tracker/CVE-2015-2326
http://bugs.exim.org/show_bug.cgi?id=1592
http://vcs.pcre.org/pcre?view=revision&revision=1529

CVE-2015-3210

https://security-tracker.debian.org/tracker/CVE-2015-3210
https://bugs.exim.org/show_bug.cgi?id=1636
http://vcs.pcre.org/pcre?view=revision&revision=1558

CVE-2015-5073

https://security-tracker.debian.org/tracker/CVE-2015-5073
https://bugs.exim.org/show_bug.cgi?id=1651
http://vcs.pcre.org/pcre?view=revision&revision=1571

See original description

CVE References

2014-8964

Seth Arnold (seth-arnold) on 2014-11-26

information type:	Private Security → Public Security
Changed in pcre3 (Ubuntu):
status:	New → Confirmed

Seyeong Kim (seyeongkim) on 2015-07-06

description:	updated
Changed in pcre3 (Ubuntu Trusty):
status:	New → In Progress
assignee:	nobody → Seyeong Kim (xtrusia)

Seyeong Kim (seyeongkim) on 2015-07-06

Changed in pcre3 (Ubuntu Utopic):
status:	New → In Progress
assignee:	nobody → Seyeong Kim (xtrusia)

Seyeong Kim (seyeongkim) on 2015-07-21

Changed in pcre3 (Ubuntu):
assignee:	nobody → Seyeong Kim (xtrusia)
assignee:	Seyeong Kim (xtrusia) → nobody

Seyeong Kim (seyeongkim) on 2015-07-21

description:	updated
summary:	- pcre3 vulnerability CVE-2014-8964 + pcre3 vulnerability CVE-2014, 2015
Changed in pcre3 (Ubuntu):
assignee:	nobody → Seyeong Kim (xtrusia)
status:	Confirmed → In Progress

Revision history for this message

Seyeong Kim (seyeongkim) wrote on 2015-07-21:

wily-pcre3-cve-2015.debdiff Edit (25.8 KiB, text/plain)

Seyeong Kim (seyeongkim) on 2015-07-22

Changed in pcre3 (Ubuntu Vivid):
status:	New → In Progress
assignee:	nobody → Seyeong Kim (xtrusia)

Revision history for this message

Seyeong Kim (seyeongkim) wrote on 2015-07-22:

#12

trusty-pcre3-cve-2014,2015.debdiff Edit (22.8 KiB, text/plain)

Revision history for this message

Seyeong Kim (seyeongkim) wrote on 2015-07-22:

#14

vivid-pcre3-cve-2015.debdiff Edit (26.3 KiB, text/plain)

Revision history for this message

Seyeong Kim (seyeongkim) wrote on 2015-07-22:

#15

utopic-pcre3-cve-2014,2015.debdiff Edit (27.7 KiB, text/plain)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-07-23:

#16

ACK on the wily and vivid debdiffs. I've slightly adjusted the vivid versioning and have removed the extra lines in the changelog.
Wily is uploaded to the archive, and vivid is uploaded here, awaiting the other releases:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

For trusty, CVE-2014-8964 is missing. Red Hat has a backport available here:
https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c8

Are you planning on working on precise also?

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-07-23:

#17

Forget my trusty comment, I wasn't looking at the right debdiff.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-07-23:

#18

The trusty debdiff looks good, but it's failing to compile for me with the following:

============================================================================
Testsuite summary for PCRE 8.31
============================================================================
# TOTAL: 5
# PASS: 4
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0

Have you gotten it to compile successfully?

Revision history for this message

Seyeong Kim (seyeongkim) wrote on 2015-07-24:

#19

@mdeslaur

Nope. but I got an error in current trusty pkg without my patch

you could also check current trusty pkg

###################

Test 2: API, errors, internals, and non-Perl stuff (not UTF-8)
--- ./testdata/testoutput2 2012-06-02 02:53:58.000000000 +0900
+++ testtry 2015-07-24 10:54:21.374674333 +0900
@@ -5794,13 +5794,16 @@
No match

/a{11111111111111111111}/I
-Failed: number too big in {} quantifier at offset 22
+Capturing subpattern count = 0
+No options
+First char = 'a'
+No need char

/(){64294967295}/I
-Failed: number too big in {} quantifier at offset 14
+Failed: regular expression is too large at offset 15

/(){2,4294967295}/I
-Failed: number too big in {} quantifier at offset 15
+Failed: numbers out of order in {} quantifier at offset 15

"(?i:a)(?i:b)(?i:c)(?i:d)(?i:e)(?i:f)(?i:g)(?i:h)(?i:i)(?i:j)(k)(?i:l)A\1B"I
Capturing subpattern count = 1

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-07-24:

#20

OK, I've fixed the test suite and have uploaded it to the PPA. I have also uploaded a package for precise.

I will release the packages as security updates next week once I have tested them.

Thanks!

Changed in pcre3 (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in pcre3 (Ubuntu):
status:	In Progress → Fix Released

Marc Deslauriers (mdeslaur) on 2015-07-29

Changed in pcre3 (Ubuntu Precise):
status:	In Progress → Fix Released
Changed in pcre3 (Ubuntu Trusty):
status:	In Progress → Fix Released
Changed in pcre3 (Ubuntu Utopic):
status:	In Progress → Fix Released
Changed in pcre3 (Ubuntu Vivid):
status:	In Progress → Fix Released