[gentoo-announce] [ GLSA 201706-11 ] PCRE library: Denial of Service - gentoo-announce

From:	Kristian Fiskerstrand <k_f@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201706-11 ] PCRE library: Denial of Service
Date:	Tue, 06 Jun 2017 19:48:30
Message-Id:	`c26c2948-a1ca-4a32-c74c-a5bac34b4698@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201706-11

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: PCRE library: Denial of Service

9

     Date: June 06, 2017

10

     Bugs: #609592

11

       ID: 201706-11

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in PCRE library allows remote attackers to cause a

19

Denial of Service condition.

20

21

Background

22

==========

23

24

PCRE library is a set of functions that implement regular expression

25

pattern matching using the same syntax and semantics as Perl 5.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-libs/libpcre            < 8.40-r1                 >= 8.40-r1

34

35

Description

36

===========

37

38

It was found that the compile_bracket_matchingpath function in

39

pcre_jit_compile.c in PCRE library is vulnerable to an out-of-bounds

40

read.

41

42

Impact

43

======

44

45

A remote attacker could possibly cause a Denial of Service condition

46

via a special crafted regular expression.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All PCRE library users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=dev-libs/libpcre-8.40-r1"

60

61

References

62

==========

63

64

[ 1 ] CVE-2017-6004

65

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6004

66

67

Availability

68

============

69

70

This GLSA and any updates to it are available for viewing at

71

the Gentoo Security Website:

72

73

 https://security.gentoo.org/glsa/201706-11

74

75

Concerns?

76

=========

77

78

Security is a primary focus of Gentoo Linux and ensuring the

79

confidentiality and security of our users' machines is of utmost

80

importance to us. Any security concerns should be addressed to

81

security@g.o or alternatively, you may file a bug at

82

https://bugs.gentoo.org.

83

84

License

85

=======

86

87

Copyright 2017 Gentoo Foundation, Inc; referenced text

88

belongs to its owner(s).

89

90

The contents of this document are licensed under the

91

Creative Commons - Attribution / Share Alike license.

92

93

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201706-11
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: PCRE library: Denial of Service
9	Date: June 06, 2017
10	Bugs: #609592
11	ID: 201706-11
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in PCRE library allows remote attackers to cause a
19	Denial of Service condition.
20
21	Background
22	==========
23
24	PCRE library is a set of functions that implement regular expression
25	pattern matching using the same syntax and semantics as Perl 5.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-libs/libpcre < 8.40-r1 >= 8.40-r1
34
35	Description
36	===========
37
38	It was found that the compile_bracket_matchingpath function in
39	pcre_jit_compile.c in PCRE library is vulnerable to an out-of-bounds
40	read.
41
42	Impact
43	======
44
45	A remote attacker could possibly cause a Denial of Service condition
46	via a special crafted regular expression.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All PCRE library users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=dev-libs/libpcre-8.40-r1"
60
61	References
62	==========
63
64	[ 1 ] CVE-2017-6004
65	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6004
66
67	Availability
68	============
69
70	This GLSA and any updates to it are available for viewing at
71	the Gentoo Security Website:
72
73	https://security.gentoo.org/glsa/201706-11
74
75	Concerns?
76	=========
77
78	Security is a primary focus of Gentoo Linux and ensuring the
79	confidentiality and security of our users' machines is of utmost
80	importance to us. Any security concerns should be addressed to
81	security@g.o or alternatively, you may file a bug at
82	https://bugs.gentoo.org.
83
84	License
85	=======
86
87	Copyright 2017 Gentoo Foundation, Inc; referenced text
88	belongs to its owner(s).
89
90	The contents of this document are licensed under the
91	Creative Commons - Attribution / Share Alike license.
92
93	http://creativecommons.org/licenses/by-sa/2.5