|
|
Subscribe / Log in / New account

pcre: multiple vulnerabilities

Package(s):pcre CVE #(s):CVE-2015-8383 CVE-2015-8386 CVE-2015-8387 CVE-2015-8389 CVE-2015-8390 CVE-2015-8391 CVE-2015-8393 CVE-2015-8394
Created:January 5, 2016 Updated:January 6, 2016
Description: From the CVE entries:

PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. (CVE-2015-8383)

PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. (CVE-2015-8386)

PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. (CVE-2015-8387)

PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. (CVE-2015-8389)

PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. (CVE-2015-8390)

The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. (CVE-2015-8391)

pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client. (CVE-2015-8393)

PCRE before 8.38 mishandles the (?(<digits>') and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. (CVE-2015-8394)

Alerts:
Red Hat RHSA-2016:2750-01 rh-php56 2016-11-15
Gentoo 201607-02 libpcre 2016-07-09
Fedora FEDORA-2015-eb896290d3 pcre 2016-01-04
Red Hat RHSA-2016:1132-01 rh-mariadb100-mariadb 2016-05-26
Oracle ELSA-2016-1025 pcre 2016-05-11
Scientific Linux SLSA-2016:1025-1 pcre 2016-05-11
Red Hat RHSA-2016:1025-01 pcre 2016-05-11
openSUSE openSUSE-SU-2016:3099-1 pcre 2016-12-12
Ubuntu USN-2943-1 pcre3 2016-03-29
Fedora FEDORA-2016-f59a8ff5d0 mingw-pcre 2016-02-17
Fedora FEDORA-2016-fd1199dbe2 mingw-pcre 2016-02-17
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds