Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora: 21 Security Update Released for pcre Heap Overflow Issue

fedora
Calendar Grey July 18, 2015
Dist Fedora Esm H88
Addresses significant memory overflow vulnerabilities in pcre for Fedora 21, improving overall system reliability and safety.
This release fixes two heap buffer overflows when compiling certain regular expressions: CVE-2015-3210 and CVE-2015-5073.

Summary

Perl-compatible regular expression library.

PCRE has its own native API, but a set of "wrapper" functions that are based on

the POSIX API are also supplied in the library libpcreposix. Note that this

just provides a POSIX calling interface to PCRE: the regular expressions

themselves still follow Perl syntax and semantics. The header file

for the POSIX-style functions is called pcreposix.h.

Update Information:

This release fixes two heap buffer overflows when compiling certain regular expressions: CVE-2015-3210 and CVE-2015-5073.

Topics%20covered

Topics Covered

security advisory software update Fedora security fix heap overflow pcre

Change Log

* Wed Jul 1 2015 Petr Pisar - 8.35-12 - Fix CVE-2015-3210 (heap overflow when compiling an expression with named recursive back reference and the name is duplicated) (bug #1236659) - Fix CVE-2015-5073 (heap overflow when compiling an expression with an forward reference within backward asserion with excessive closing paranthesis) (bug #1237224) * Thu May 14 2015 Petr Pisar - 8.35-11 - Amend Fix-memory-bug-for-S-V-H-compile patch to allow building with disabled UTF support (bug #1210383) * Thu Apr 23 2015 Petr Pisar - 8.35-10 - Fix static linking (bug #1214494) - Package pcredemo.c as a documentation for pcre-devel * Fri Apr 10 2015 Petr Pisar - 8.35-9 - Fix computing size for pattern with a negated special calss in on-UCP mode (bug #1210383) - Fix compilation of a pattern with mutual recursion nested inside other group (bug #1210393) - Fix compilation of a parenthesized comment (bug #1210410) - Fix compliation of mutual recursion inside a lookbehind assertion (bug #1210417) - Fix pcregrep loop when K is used in a lookbehind assertion (bug #1210423) - Fix pcretest loop when K is used in a lookbehind assertion (bug #1210423) - Fix backtracking for CX* in UTF-8 mode (bug #1210576) * Thu Nov 20 2014 Petr Pisar - 8.35-8 - Fix CVE-2014-8964 (unused memory usage on zero-repeat assertion condition) (bug #1165626)

References


[ 1 ] Bug #1226918 - CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() / compile_regex() https://bugzilla.redhat.com/show_bug.cgi?id=1226918 [ 2 ] Bug #1237223 - CVE-2015-5073 pcre: heap buffer overflow in find_fixedlength() https://bugzilla.redhat.com/show_bug.cgi?id=1237223

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update pcre' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
critical
Lowest
Low
Medium
High
Critical

Name: pcre
Product: Fedora 21
Version: 8.35
Release: 12.fc21
URL:
Summary: Perl-compatible regular expression library

Topics%20covered

Topics Covered

security advisory software update Fedora security fix heap overflow pcre

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here