Bugzilla – Bug 971741
VUL-1: CVE-2016-3191: pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12)
Last modified: 2022-04-06 14:02:58 UTC
rh#1311503 The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542. References: https://bugzilla.redhat.com/show_bug.cgi?id=1311503 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3191 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815920 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815921 https://bugs.exim.org/show_bug.cgi?id=1791 http://vcs.pcre.org/pcre2?view=revision&revision=489 http://vcs.pcre.org/pcre?view=revision&revision=1631
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (971741) was mentioned in https://build.opensuse.org/request/show/416447 Factory / pcre2
For pcre, this was submitted into factory via https://build.opensuse.org/request/show/403030 Recording in changelog: https://build.opensuse.org/request/show/416446
This is an autogenerated message for OBS integration: This bug (971741) was mentioned in https://build.opensuse.org/request/show/416797 42.1 / pcre2
openSUSE-SU-2016:2035-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 971741 CVE References: CVE-2016-3191 Sources used: openSUSE Leap 42.1 (src): pcre2-10.22-7.1
This is an autogenerated message for OBS integration: This bug (971741) was mentioned in https://build.opensuse.org/request/show/437711 13.2 / pcre
openSUSE-SU-2016:2805-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 933288,933878,936227,942865,957566,957598,960837,971741,972127 CVE References: CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2016-1283,CVE-2016-3191 Sources used: openSUSE 13.2 (src): pcre-8.39-3.8.1
SUSE-SU-2016:2971-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise High Availability 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise High Availability 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Desktop 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Desktop 12-SP1 (src): pcre-8.39-5.1
openSUSE-SU-2016:3099-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: openSUSE Leap 42.2 (src): pcre-8.39-6.1 openSUSE Leap 42.1 (src): pcre-8.39-5.1
SUSE-SU-2016:3161-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server for SAP 12 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-LTSS (src): pcre-8.39-7.1 SUSE Linux Enterprise High Availability 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise High Availability 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Desktop 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): pcre-8.39-7.1
Looks done to me, but evaluate yourself
This is an autogenerated message for OBS integration: This bug (971741) was mentioned in https://build.opensuse.org/request/show/653587 Backports:SLE-12 / pcre2
All done.