Fedora has issued an advisory on November 22: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145843.html Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated pcre packages fix security vulnerability: A flaw was found in the way PCRE handled certain malformed regular expressions. This issue could cause an application linked against PCRE to crash while parsing malicious regular expressions (CVE-2014-8964). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145843.html ======================== Updated packages in core/updates_testing: ======================== pcre-8.33-2.1.mga4 libpcre1-8.33-2.1.mga4 libpcre16_0-8.33-2.1.mga4 libpcre32_0-8.33-2.1.mga4 libpcrecpp0-8.33-2.1.mga4 libpcreposix1-8.33-2.1.mga4 libpcreposix0-8.33-2.1.mga4 libpcre-devel-8.33-2.1.mga4 libpcrecpp-devel-8.33-2.1.mga4 libpcreposix-devel-8.33-2.1.mga4 from pcre-8.33-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
The PoC from the upstream bug: http://bugs.exim.org/show_bug.cgi?id=1546 is: echo "a" | pcregrep "((?=(?(?=(?(?=(?(?=())))*))))){2}" - Unfortunately it only produces an error when pcre was compiled with AddressSanitizer.
MGA4-64 on HP Probook 6555b No apparant problems. Test as described above $ echo "a" | pcregrep "((?=(?(?=(?(?=(?(?=())))*))))){2}" - a
CC: (none) => herman.viaene
Adding OKs based on Herman and my testing. This can be validated.
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0534.html
Status: NEW => RESOLVEDResolution: (none) => FIXED