FS#45207 - [pcre] multiple remote code execution vulnerabilites which are only fixed in upstream SVN

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 04 June 2015, 19:19 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 08 June 2015, 15:49 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description: PCRE 8.37 contains multiple security vulnerabilities (over half a dozen buffer overflows and reference offset bugs):
http://vcs.pcre.org/pcre/code/trunk/ChangeLog

At least one of those vulnerabilites has been assigned CVE-2015-3210, where it is also claimed that this can be used for remote code execution:
http://www.securitytracker.com/id/1032453

Although upstream has not yet released a new version of PCRE, they have fixed these vulnerabilities in their SVN:
https://bugs.exim.org/show_bug.cgi?id=1636#c1

I therefore propose that the SVN version of PCRE be shipped until upstream releases PCRE 8.38.


Additional info:
* package version(s): PCRE 8.33-8.37

Steps to reproduce:
Ask Wen Guanxing if you really need a working exploit.
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Monday, 08 June 2015, 15:49 GMT
Reason for closing:  Fixed
Comment by Sébastien Luttringer (seblu) - Friday, 05 June 2015, 00:27 GMT
A version with patches is in testing. Could you confirm that's ok?
Comment by Pascal Ernster (hardfalcon) - Friday, 05 June 2015, 01:04 GMT
Hmmm, the download from mirror.rit.edu gives me a 404 although I had started (but then cancelled again) the download using my browser a few minutes ago. o_O

I'll quickly build the package myself (using GCC 5.1 and with a grsec kernel) and give you a feedback.
Comment by Pascal Ernster (hardfalcon) - Friday, 05 June 2015, 05:11 GMT
So far, no problems experienced, neither with your version nor with mine.

//EDIT: By the way, lib32-pcre would of course also need to be fixed.
Comment by Pascal Ernster (hardfalcon) - Monday, 08 June 2015, 01:44 GMT
Could you please also assign this bug to Florian Pritz (bluewind), as he is the maintainer of the lib32-pcre package?

https://www.archlinux.org/packages/multilib/x86_64/lib32-pcre/
Comment by Sébastien Luttringer (seblu) - Monday, 08 June 2015, 15:47 GMT
I got access to multilib. That's now ok.

Loading...