Security update for pcre SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0858-1 Final 1 1 2015-05-04T12:44:05Z current 2015-05-04T12:44:05Z 2015-05-04T12:44:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pcre The regular expression library pcre was updated to 8.37 to fix three security issues and a number of bugs and correctness issues. The following vulnerabilities were fixed: * CVE-2015-2325: Specially crafted regular expressions could have caused a heap buffer overlow in compile_branch(), potentially allowing the execution of arbitrary code. (boo#924960) * CVE-2015-2326: Specially crafted regular expressions could have caused a heap buffer overlow in pcre_compile2(), potentially allowing the execution of arbitrary code. [boo#924961] * CVE-2014-8964: Specially crafted regular expression could have caused a denial of service (crash) or have other unspecified impact. [boo#906574] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-05/msg00014.html E-Mail link for openSUSE-SU-2015:0858-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings libpcre1-8.37-2.4.1 libpcre1-32bit-8.37-2.4.1 libpcre16-0-8.37-2.4.1 libpcre16-0-32bit-8.37-2.4.1 libpcrecpp0-8.37-2.4.1 libpcrecpp0-32bit-8.37-2.4.1 libpcreposix0-8.37-2.4.1 libpcreposix0-32bit-8.37-2.4.1 pcre-8.37-2.4.1 pcre-devel-8.37-2.4.1 pcre-devel-static-8.37-2.4.1 pcre-doc-8.37-2.4.1 pcre-tools-8.37-2.4.1 Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats. CVE-2014-8964 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00014.html https://www.suse.com/security/cve/CVE-2014-8964.html CVE-2014-8964 https://bugzilla.suse.com/906574 SUSE Bug 906574 https://bugzilla.suse.com/924960 SUSE Bug 924960 https://bugzilla.suse.com/933288 SUSE Bug 933288 https://bugzilla.suse.com/936408 SUSE Bug 936408 https://bugzilla.suse.com/958373 SUSE Bug 958373 The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier. CVE-2015-2325 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00014.html https://www.suse.com/security/cve/CVE-2015-2325.html CVE-2015-2325 https://bugzilla.suse.com/924960 SUSE Bug 924960 https://bugzilla.suse.com/933288 SUSE Bug 933288 https://bugzilla.suse.com/936408 SUSE Bug 936408 https://bugzilla.suse.com/958373 SUSE Bug 958373 The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/". CVE-2015-2326 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00014.html https://www.suse.com/security/cve/CVE-2015-2326.html CVE-2015-2326 https://bugzilla.suse.com/924960 SUSE Bug 924960 https://bugzilla.suse.com/924961 SUSE Bug 924961 https://bugzilla.suse.com/933288 SUSE Bug 933288 https://bugzilla.suse.com/936408 SUSE Bug 936408 https://bugzilla.suse.com/958373 SUSE Bug 958373