[SECURITY] Fedora 22 Update: pcre-8.38-1.fc22
updates at fedoraproject.org
updates at fedoraproject.org
Mon Jan 4 19:59:47 UTC 2016
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-eb896290d3
2016-01-04 16:02:44.028960
--------------------------------------------------------------------------------
Name : pcre
Product : Fedora 22
Version : 8.38
Release : 1.fc22
URL : http://www.pcre.org/
Summary : Perl-compatible regular expression library
Description :
Perl-compatible regular expression library.
PCRE has its own native API, but a set of "wrapper" functions that are based on
the POSIX API are also supplied in the library libpcreposix. Note that this
just provides a POSIX calling interface to PCRE: the regular expressions
themselves still follow Perl syntax and semantics. The header file
for the POSIX-style functions is called pcreposix.h.
--------------------------------------------------------------------------------
Update Information:
This release fixes these vulnerabilies: CVE-2015-8383, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393,
CVE-2015-8394. It also fixes compiling comments with auto-callouts, compiling
expressions with negated classes in UCP mode, compiling expressions with an
isolated \E between an item and its qualifier with auto-callouts, a crash in
regexec() if REG_STARTEND option is set and pmatch argument is NULL, a stack
overflow when formatting a 32-bit integer in pcregrep tool, compiling
expressions with an empty \Q\E sequence between an item and its qualifier with
auto-callouts, compiling expressions with global extended modifier that is
disabled by local no-extended option at the start of the expression just after a
whitespace, a possible crash in pcre_copy_named_substring() if a named substring
has number greater than the space in the ovector, a buffer overflow when
compiling an expression with named groups with a group that reset capture
numbers, and a crash in pcre_get_substring_list() if the use of \K caused the
start of the match to be earlier than the end.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1287614 - CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group
https://bugzilla.redhat.com/show_bug.cgi?id=1287614
[ 2 ] Bug #1287636 - CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion
https://bugzilla.redhat.com/show_bug.cgi?id=1287636
[ 3 ] Bug #1287646 - CVE-2015-8387 pcre: Integer overflow in subroutine calls
https://bugzilla.redhat.com/show_bug.cgi?id=1287646
[ 4 ] Bug #1287659 - CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns
https://bugzilla.redhat.com/show_bug.cgi?id=1287659
[ 5 ] Bug #1287666 - CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns
https://bugzilla.redhat.com/show_bug.cgi?id=1287666
[ 6 ] Bug #1287671 - CVE-2015-8391 pcre: Some pathological patterns causes pcre_compile() to run for a very long time
https://bugzilla.redhat.com/show_bug.cgi?id=1287671
[ 7 ] Bug #1287695 - CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary
https://bugzilla.redhat.com/show_bug.cgi?id=1287695
[ 8 ] Bug #1287702 - CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions
https://bugzilla.redhat.com/show_bug.cgi?id=1287702
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update pcre' at the command line.
For more information, refer to "Managing Software with yum",
available at https://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list