Advisories » MGASA-2016-0204

Updated pcre packages fix security vulnerabilities

Publication date: 23 May 2016
Modification date: 23 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1283 , CVE-2016-3191

Description

Updated pcre packages fix security vulnerabilities:

The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles a
paricular pattern and related patterns with named subgroups, which allows
remote attackers to cause a denial of service (heap-based buffer overflow)
or possibly have unspecified other impact via a crafted regular expression
(CVE-2016-1283).

The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 
mishandles patterns containing an (*ACCEPT) substring in conjunction with
nested parentheses, which allows remote attackers to execute arbitrary
code or cause a denial of service (stack-based buffer overflow) via a
crafted regular expression (CVE-2016-3191).

The pcre package has been updated to the latest CVS as of May 21, 2016,
aka 8.39-RC1, which fixes these issues, as well as several other bugs,
and possible security issues.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17438
• http://vcs.pcre.org/pcre/code/trunk/ChangeLog?revision=1649&view=markup
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191

SRPMS

5/core

• pcre-8.38-1.mga5