Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 522
Alerts This Week
Warning Icon 1 522

Fedora 23: 2017-d2ac8f35a0 Major: xml Parsing Vulnerability Detected

fedora
Calendar Grey March 16, 2016
Dist Fedora Esm H88
A patch for Fedora 22 resolves vulnerabilities in pcre, implementing essential corrections specifically for the processing of nested groups to prevent buffer overflow issues.
This release fixes a heap buffer overflow in handling of nested duplicate named groups with a nested back reference and a heap buffer overflow in pcretest causing infinite loop whe...

Summary

Perl-compatible regular expression library.

PCRE has its own native API, but a set of "wrapper" functions that are based on

the POSIX API are also supplied in the library libpcreposix. Note that this

just provides a POSIX calling interface to PCRE: the regular expressions

themselves still follow Perl syntax and semantics. The header file

for the POSIX-style functions is called pcreposix.h.

Update Information:

This release fixes a heap buffer overflow in handling of nested duplicate named groups with a nested back reference and a heap buffer overflow in pcretest causing infinite loop when matching globally with an ovector less than 2.

Change Log

References


[ 1 ] Bug #1295385 - CVE-2016-1283 pcre: heap buffer overflow in handling of duplicate named groups (8.39/14) https://bugzilla.redhat.com/show_bug.cgi?id=1295385 [ 2 ] Bug #1312782 - pcre: Heap buffer overflow in pcretest causing infinite loop https://bugzilla.redhat.com/show_bug.cgi?id=1312782

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update pcre' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
critical
Lowest
Low
Medium
High
Critical

Name: pcre
Product: Fedora 22
Version: 8.38
Release: 3.fc22
URL:
Summary: Perl-compatible regular expression library

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.