CPANSA-Perl6-Pugs-2015-8382-libpcre: Perl6-Pugs vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2015-12-02T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2015-12-02T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | Severity | ||
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.
Vulnerabilities
CVE-2015-8382
Vulnerability DescriptionThe match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.
| Weakness | CWE-119 : Improper Restriction of Operations within the Bounds of a Memory Buffer |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Perl6-Pugs greater than or equal 6.0.12 and less than or equal 6.2.9 |
|
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Perl6-Pugs-2015-8382-libpcre JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2015/cpansa-perl6-pugs-2015-8382-libpcre.json - https://bugs.exim.org/show_bug.cgi?id=1537 external
https://bugs.exim.org/show_bug.cgi?id=1537 - http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup external
http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup - http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510 external
http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510 - https://bugzilla.redhat.com/show_bug.cgi?id=1187225 external
https://bugzilla.redhat.com/show_bug.cgi?id=1187225 - http://www.openwall.com/lists/oss-security/2015/08/04/3 external
http://www.openwall.com/lists/oss-security/2015/08/04/3 - http://www.openwall.com/lists/oss-security/2015/11/29/1 external
http://www.openwall.com/lists/oss-security/2015/11/29/1 - http://git.php.net/?p=php-src.git;a=commit;h=c351b47ce85a3a147cfa801fa9f0149ab4160834 external
http://git.php.net/?p=php-src.git;a=commit;h=c351b47ce85a3a147cfa801fa9f0149ab4160834 - http://www.securityfocus.com/bid/76157 external
http://www.securityfocus.com/bid/76157 - https://bto.bluecoat.com/security-advisory/sa128 external
https://bto.bluecoat.com/security-advisory/sa128 - CVE-2015-8382 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2015-8382
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Wed Dec 2 00:00:00 2015 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/