Mailinglist Archive: opensuse-updates (164 mails)

< Previous Next >
openSUSE-SU-2016:3099-1: moderate: Security update for pcre
openSUSE Security Update: Security update for pcre
______________________________________________________________________________

Announcement ID: openSUSE-SU-2016:3099-1
Rating: moderate
References: #906574 #924960 #933288 #933878 #936227 #942865
#957566 #957567 #957598 #957600 #960837 #971741
#972127
Cross-References: CVE-2014-8964 CVE-2015-2325 CVE-2015-2327
CVE-2015-2328 CVE-2015-3210 CVE-2015-3217
CVE-2015-5073 CVE-2015-8380 CVE-2015-8381
CVE-2015-8382 CVE-2015-8383 CVE-2015-8384
CVE-2015-8385 CVE-2015-8386 CVE-2015-8387
CVE-2015-8388 CVE-2015-8389 CVE-2015-8390
CVE-2015-8391 CVE-2015-8392 CVE-2015-8393
CVE-2015-8394 CVE-2015-8395 CVE-2016-1283
CVE-2016-3191
Affected Products:
openSUSE Leap 42.2
openSUSE Leap 42.1
______________________________________________________________________________

An update that fixes 25 vulnerabilities is now available.

Description:


This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a
new version. Please make sure that your software works with the updated
version.

This version fixes a number of vulnerabilities that affect pcre and
applications using the libary when accepting untrusted input as regular
expressions or as part thereof. Remote attackers could have caused the
application to crash, disclose information or potentially execute
arbitrary code. These security issues were fixed:

- CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats (bsc#906574).
- CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
- CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex()
(bsc#933288)
- CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match()
(bsc#933878).
- CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength()
(bsc#936227).
- bsc#942865: heap overflow in compile_regex()
- CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a //
pattern with a \01 string, which allowed remote attackers to cause a
denial of service (heap-based buffer overflow) or possibly have
unspecified other impact via a crafted regular expression, as
demonstrated by a JavaScript RegExp object encountered by Konqueror
(bsc#957566).
- CVE-2015-2327: PCRE mishandled certain patterns with internal recursive
back references, which allowed remote attackers to cause a denial of
service (segmentation fault) or possibly have unspecified other impact
via a crafted regular expression, as demonstrated by a JavaScript RegExp
object encountered by Konqueror (bsc#957567).
- bsc#957598: Various security issues
- CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
- CVE-2015-8382: Regular Expression Uninitialized Pointer Information
Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
- CVE-2015-8383: Buffer overflow caused by repeated conditional
group(bsc#957598).
- CVE-2015-8384: Buffer overflow caused by recursive back reference by
name within certain group(bsc#957598).
- CVE-2015-8385: Buffer overflow caused by forward reference by name to
certain group(bsc#957598).
- CVE-2015-8386: Buffer overflow caused by lookbehind
assertion(bsc#957598).
- CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
- CVE-2015-8388: Buffer overflow caused by certain patterns with an
unmatched closing parenthesis(bsc#957598).
- CVE-2015-8389: Infinite recursion in JIT compiler when processing
certain patterns(bsc#957598).
- CVE-2015-8390: Reading from uninitialized memory when processing certain
patterns(bsc#957598).
- CVE-2015-8391: Some pathological patterns causes pcre_compile() to run
for a very long time(bsc#957598).
- CVE-2015-8392: Buffer overflow caused by certain patterns with
duplicated named groups(bsc#957598).
- CVE-2015-8393: Information leak when running pcgrep -q on crafted
binary(bsc#957598).
- CVE-2015-8394: Integer overflow caused by missing check for certain
conditions(bsc#957598).
- CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
- CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related
patterns with certain recursion, which allowed remote attackers to cause
a denial of service (segmentation fault) or possibly have unspecified
other impact via a crafted regular expression (bsc#957600).
- CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE
mishandled certain patterns with named subgroups, which allowed remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact via a crafted regular expression
(bsc#960837).
- CVE-2016-3191: The compile_branch function in pcre_compile.c in
pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in
conjunction with nested parentheses, which allowed remote attackers to
execute arbitrary code or cause a denial of service (stack-based buffer
overflow) via a crafted regular expression (bsc#971741).

These non-security issues were fixed:
- JIT compiler improvements
- performance improvements
- The Unicode data tables have been updated to Unicode 7.0.0.

This update was imported from the SUSE:SLE-12:Update update project.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2016-1448=1

- openSUSE Leap 42.1:

zypper in -t patch openSUSE-2016-1448=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.2 (i586 x86_64):

libpcre1-8.39-6.1
libpcre1-debuginfo-8.39-6.1
libpcre16-0-8.39-6.1
libpcre16-0-debuginfo-8.39-6.1
libpcrecpp0-8.39-6.1
libpcrecpp0-debuginfo-8.39-6.1
libpcreposix0-8.39-6.1
libpcreposix0-debuginfo-8.39-6.1
pcre-debugsource-8.39-6.1
pcre-devel-8.39-6.1
pcre-devel-static-8.39-6.1
pcre-tools-8.39-6.1
pcre-tools-debuginfo-8.39-6.1

- openSUSE Leap 42.2 (x86_64):

libpcre1-32bit-8.39-6.1
libpcre1-debuginfo-32bit-8.39-6.1
libpcre16-0-32bit-8.39-6.1
libpcre16-0-debuginfo-32bit-8.39-6.1
libpcrecpp0-32bit-8.39-6.1
libpcrecpp0-debuginfo-32bit-8.39-6.1
libpcreposix0-32bit-8.39-6.1
libpcreposix0-debuginfo-32bit-8.39-6.1

- openSUSE Leap 42.2 (noarch):

pcre-doc-8.39-6.1

- openSUSE Leap 42.1 (i586 x86_64):

libpcre1-8.39-5.1
libpcre1-debuginfo-8.39-5.1
libpcre16-0-8.39-5.1
libpcre16-0-debuginfo-8.39-5.1
libpcrecpp0-8.39-5.1
libpcrecpp0-debuginfo-8.39-5.1
libpcreposix0-8.39-5.1
libpcreposix0-debuginfo-8.39-5.1
pcre-debugsource-8.39-5.1
pcre-devel-8.39-5.1
pcre-devel-static-8.39-5.1
pcre-tools-8.39-5.1
pcre-tools-debuginfo-8.39-5.1

- openSUSE Leap 42.1 (x86_64):

libpcre1-32bit-8.39-5.1
libpcre1-debuginfo-32bit-8.39-5.1
libpcre16-0-32bit-8.39-5.1
libpcre16-0-debuginfo-32bit-8.39-5.1
libpcrecpp0-32bit-8.39-5.1
libpcrecpp0-debuginfo-32bit-8.39-5.1
libpcreposix0-32bit-8.39-5.1
libpcreposix0-debuginfo-32bit-8.39-5.1

- openSUSE Leap 42.1 (noarch):

pcre-doc-8.39-5.1


References:

https://www.suse.com/security/cve/CVE-2014-8964.html
https://www.suse.com/security/cve/CVE-2015-2325.html
https://www.suse.com/security/cve/CVE-2015-2327.html
https://www.suse.com/security/cve/CVE-2015-2328.html
https://www.suse.com/security/cve/CVE-2015-3210.html
https://www.suse.com/security/cve/CVE-2015-3217.html
https://www.suse.com/security/cve/CVE-2015-5073.html
https://www.suse.com/security/cve/CVE-2015-8380.html
https://www.suse.com/security/cve/CVE-2015-8381.html
https://www.suse.com/security/cve/CVE-2015-8382.html
https://www.suse.com/security/cve/CVE-2015-8383.html
https://www.suse.com/security/cve/CVE-2015-8384.html
https://www.suse.com/security/cve/CVE-2015-8385.html
https://www.suse.com/security/cve/CVE-2015-8386.html
https://www.suse.com/security/cve/CVE-2015-8387.html
https://www.suse.com/security/cve/CVE-2015-8388.html
https://www.suse.com/security/cve/CVE-2015-8389.html
https://www.suse.com/security/cve/CVE-2015-8390.html
https://www.suse.com/security/cve/CVE-2015-8391.html
https://www.suse.com/security/cve/CVE-2015-8392.html
https://www.suse.com/security/cve/CVE-2015-8393.html
https://www.suse.com/security/cve/CVE-2015-8394.html
https://www.suse.com/security/cve/CVE-2015-8395.html
https://www.suse.com/security/cve/CVE-2016-1283.html
https://www.suse.com/security/cve/CVE-2016-3191.html
https://bugzilla.suse.com/906574
https://bugzilla.suse.com/924960
https://bugzilla.suse.com/933288
https://bugzilla.suse.com/933878
https://bugzilla.suse.com/936227
https://bugzilla.suse.com/942865
https://bugzilla.suse.com/957566
https://bugzilla.suse.com/957567
https://bugzilla.suse.com/957598
https://bugzilla.suse.com/957600
https://bugzilla.suse.com/960837
https://bugzilla.suse.com/971741
https://bugzilla.suse.com/972127


< Previous Next >
This Thread
  • No further messages