Control: clone -1 -2 Control: reassign -2 src:pcre2 10.22-2 Control: retitle -2 pcre2: CVE-2017-7186 Control: notfound -2 2:8.39-2.1 Control: forwarded -1 https://bugs.exim.org/show_bug.cgi?id=2052
On Mon, Mar 20, 2017 at 07:04:17AM +0100, Salvatore Bonaccorso wrote: > Source: pcre3 > Version: 2:8.39-2.1 > Severity: important > Tags: patch security upstream fixed-upstream > > Hi, > > the following vulnerability was published for pcre3. > > CVE-2017-7186[0]: > | libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote > | attackers to cause a denial of service (segmentation violation for read > | access, and application crash) by triggering an invalid Unicode > | property lookup. > > The bug is in the 32-bit library. Quoting upstream: > > This was a genuine bug in the 32-bit library. Thanks for finding it. > The crash was caused by trying to find a Unicode property for a code > value greater than 0x10ffff, the Unicode maximum, when running in > non-UTF mode (where character values can be up to 0xffffffff). The bug > was in both PCRE1 and PCRE2. I have fixed both of them. > > I have not yet checked if pcre2 in the version in unstable is as well > affected, but I guess so and will open a separate bug for it. Ack, seems present. Cloning and reassigning. Regards, Salvatore
