openSUSE Security Update: Security update for pcre2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:2035-1 Rating: low References: #971741 Cross-References: CVE-2016-3191 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pcre2 fixes the following issues: - pcre2 10.22: * The POSIX wrapper function regcomp() did not used to support back references and subroutine calls if called with the REG_NOSUB option. It now does. * A new function, pcre2_code_copy(), is added, to make a copy of a compiled pattern. * Support for string callouts is added to pcre2grep. * Added the PCRE2_NO_JIT option to pcre2_match(). * The pcre2_get_error_message() function now returns with a negative error code if the error number it is given is unknown. * Several updates have been made to pcre2test and test scripts * Fix CVE-2016-3191: workspace overflow for (*ACCEPT) with deeply nested parentheses (boo#971741) - Update to new upstream release 10.21 * Improve JIT matching speed of patterns starting with + or *. * Use memchr() to find the first character in an unanchored match in 8-bit mode in the interpreter. This gives a significant speed improvement. * 10.20 broke the handling of [[:>:]] and [[:<:]] in that processing them could involve a buffer overflow if the following character was an opening parenthesis. * 10.20 also introduced a bug in processing this pattern: /((?x)(*:0))#(?'/, which was fixed. * A callout with a string argument containing an opening square bracket, for example /(?C$[$)(?<]/, was incorrectly processed and could provoke a buffer overflow. * A possessively repeated conditional group that could match an empty string, for example, /(?(R))*+/, was incorrectly compiled. * The Unicode tables have been updated to Unicode 8.0.0. * An empty comment (?#) in a pattern was incorrectly processed and could provoke a buffer overflow. * Fix infinite recursion in the JIT compiler when certain patterns /such as (?:|a|){100}x/ are analysed. * Some patterns with character classes involving [: and \\ were incorrectly compiled and could cause reading from uninitialized memory or an incorrect error diagnosis. Examples are: /[[:\\](?<[::]/ and /[[:\\](?'abc')[a:]. * A missing closing parenthesis for a callout with a string argument was not being diagnosed, possibly leading to a buffer overflow. * If (?R was followed by - or + incorrect behaviour happened instead of a diagnostic. * Fixed an issue when \p{Any} inside an xclass did not read the current character. * About 80 more fixes, which you can read about in the ChangeLog shipped with the libpcre2-8-0 package. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-966=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): libpcre2-16-0-10.22-7.1 libpcre2-16-0-debuginfo-10.22-7.1 libpcre2-32-0-10.22-7.1 libpcre2-32-0-debuginfo-10.22-7.1 libpcre2-8-0-10.22-7.1 libpcre2-8-0-debuginfo-10.22-7.1 libpcre2-posix1-10.22-7.1 libpcre2-posix1-debuginfo-10.22-7.1 pcre2-debugsource-10.22-7.1 pcre2-devel-10.22-7.1 pcre2-devel-static-10.22-7.1 pcre2-tools-10.22-7.1 pcre2-tools-debuginfo-10.22-7.1 - openSUSE Leap 42.1 (x86_64): libpcre2-16-0-32bit-10.22-7.1 libpcre2-16-0-debuginfo-32bit-10.22-7.1 libpcre2-32-0-32bit-10.22-7.1 libpcre2-32-0-debuginfo-32bit-10.22-7.1 libpcre2-8-0-32bit-10.22-7.1 libpcre2-8-0-debuginfo-32bit-10.22-7.1 libpcre2-posix1-32bit-10.22-7.1 libpcre2-posix1-debuginfo-32bit-10.22-7.1 - openSUSE Leap 42.1 (noarch): pcre2-doc-10.22-7.1 References: https://www.suse.com/security/cve/CVE-2016-3191.html https://bugzilla.suse.com/971741