Date: Mon, 24 Aug 2015 16:10:58 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r395177 - head/security/vuxml Message-ID: <201508241610.t7OGAwii011505@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Mon Aug 24 16:10:57 2015 New Revision: 395177 URL: https://svnweb.freebsd.org/changeset/ports/395177 Log: Document devel/pcre vulnerability Security: 6900e6f1-4a79-11e5-9ad8-14dae9d210b8 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Aug 24 16:04:09 2015 (r395176) +++ head/security/vuxml/vuln.xml Mon Aug 24 16:10:57 2015 (r395177) @@ -58,6 +58,43 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="6900e6f1-4a79-11e5-9ad8-14dae9d210b8"> + <topic>pcre -- heap overflow vulnerability</topic> + <affects> + <package> + <name>pcre</name> + <range><lt>8.37_4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Guanxing Wen reports:</p> + <blockquote cite="http://seclists.org/oss-sec/2015/q3/295">; + <p>PCRE library is prone to a vulnerability which leads to + Heap Overflow. + During the compilation of a malformed regular expression, more data is + written on the malloced block than the expected size output by + compile_regex(). + The Heap Overflow vulnerability is caused by the following regular + expression.</p> + <p>/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/</p> + <p>A dry run of this particular regular expression with pcretest will + reports "double free or corruption (!prev)". + But it is actually a heap overflow problem. + The overflow only affects pcre 8.x branch, pcre2 branch is not affected.</p> + </blockquote> + </body> + </description> + <references> + <url>http://seclists.org/oss-sec/2015/q3/295</url>; + <url>https://bugs.exim.org/show_bug.cgi?id=1672</url>; + </references> + <dates> + <discovery>2015-08-21</discovery> + <entry>2015-08-24</entry> + </dates> + </vuln> + <vuln vid="9393213d-489b-11e5-b8c7-d050996490d0"> <topic>drupal -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508241610.t7OGAwii011505>