Bug 14789

Summary: pcre new security issue CVE-2014-8964
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/626062/
Whiteboard: MGA4-32-OK MGA4-64-OK advisory
Source RPM: pcre-8.33-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-12 19:39:00 CET 
Fedora has issued an advisory on November 22:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145843.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated pcre packages fix security vulnerability:

A flaw was found in the way PCRE handled certain malformed regular
expressions. This issue could cause an application linked against PCRE to
crash while parsing malicious regular expressions (CVE-2014-8964).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145843.html
========================

Updated packages in core/updates_testing:
========================
pcre-8.33-2.1.mga4
libpcre1-8.33-2.1.mga4
libpcre16_0-8.33-2.1.mga4
libpcre32_0-8.33-2.1.mga4
libpcrecpp0-8.33-2.1.mga4
libpcreposix1-8.33-2.1.mga4
libpcreposix0-8.33-2.1.mga4
libpcre-devel-8.33-2.1.mga4
libpcrecpp-devel-8.33-2.1.mga4
libpcreposix-devel-8.33-2.1.mga4

from pcre-8.33-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-13 22:48:36 CET 
The PoC from the upstream bug:
http://bugs.exim.org/show_bug.cgi?id=1546

is:
echo "a" | pcregrep "((?=(?(?=(?(?=(?(?=())))*))))){2}" -

Unfortunately it only produces an error when pcre was compiled with AddressSanitizer.
Comment 2 Herman Viaene 2014-12-15 11:31:39 CET 
MGA4-64 on HP Probook 6555b
No apparant problems.
Test as described above 
$ echo "a" | pcregrep "((?=(?(?=(?(?=(?(?=())))*))))){2}" -
a

CC: (none) => herman.viaene

Comment 3 David Walser 2014-12-16 22:37:08 CET 
Adding OKs based on Herman and my testing.  This can be validated.

Whiteboard: (none) => MGA4-32-OK MGA4-64-OK

Comment 4 RĂ©mi Verschelde 2014-12-17 13:59:23 CET 
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 5 Mageia Robot 2014-12-19 16:07:22 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0534.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED