PCRE 8.44 has been released on February 12: http://www.pcre.org/original/changelog.txt The changelog (above) lists two security issues fixed (as usual).
Done for mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated pcre packages fix security vulnerabilities: The pcre package has been updated to version 8.44, fixing an integer overflow and NULL pointer dereference, as well as other bugs. See the upstream changelog for details. References: http://www.pcre.org/original/changelog.txt ======================== Updated packages in core/updates_testing: ======================== pcre-8.44-1.mga7 libpcre1-8.44-1.mga7 libpcre16_0-8.44-1.mga7 libpcre32_0-8.44-1.mga7 libpcrecpp0-8.44-1.mga7 libpcreposix1-8.44-1.mga7 libpcreposix0-8.44-1.mga7 libpcre-devel-8.44-1.mga7 libpcrecpp-devel-8.44-1.mga7 libpcreposix-devel-8.44-1.mga7 libpcre-static-devel-8.44-1.mga7 from pcre-8.44-1.mga7.src.rpm
Assignee: bugsquad => qa-bugs
About to start this one for mga7 x86_64
CC: (none) => tarazed25
Installed all the files and updated them. Resources: man pages and https://learnxinyminutes.com/docs/pcre/ This should have been a simple one to test. The man pages list a pcredemo C script which the user is supposed to copy and compile. Copying from the man pages results in a text file which looks OK but contains hidden characters which prevent it compiling. At a guess these are the nroff characters referred to elsewhere in the man pages because they mention a script called CleanTxt which does just that for man page extracts but it is nowhere to be found. Also mentioned are .txt files which contain demonstration source code including that for utilities like pcregrep. Again, not available. It would take a couple of hours to copy pcredemo.c out by hand. $ pcre-config --version 8.43 $ pcre-config --libs -L/usr/lib64 -lpcre One or two commands respond but this tester does not really know what to do with them. $ pcretest PCRE version 8.43 2019-02-23 re> Pre-built tests like RunTest can be supplied here. Looks like RunTest expects as arguments numbered files. Giving it three random integers raised an error because there are no corresponding files so it behaves correctly at that level. $ urpmq --whatrequires-recursive pcre | sort -u returns a long list, notably: alien, erlang, magpie, nginx, enki, mgarepo and bm. No handy deb packages so it is a local build. $ strace -o mgarepo.trace mgarepo co -d 7 glmark2 Using the svn mirror. ..... $ grep pcre mgarepo.trace $ cd glmark2 $ strace -o bm.trace bm -ls creating package list processing package glmark2-2017.07-%mkrel %rel%{?gitdate:.%{gitdate}} building source package Wrote: /home/lcl/dev/glmark2/glmark2/SRPMS/glmark2-2017.07-4.20190327.mga7.src.rpm succeeded! $ grep pcre bm.trace $ strace -o glmark2.trace bm -l ..... + /usr/bin/rm -rf /home/lcl/dev/glmark2/glmark2/BUILDROOT/glmark2-2017.07-4.20190327.mga7.x86_64 + exit 0 succeeded! $ grep pcre glmark2.trace $ Hmm! At one timeyoutube-dl was a perl script IIRCC. $ urpmq --requires-recursive youtube-dl .... lib64pcre1 Tried youtube-dl on a couple of music videos - failed. Third one worked but no sign of libpcre. $ strace -o vom.trace youtube-dl https://www.youtube.com/watch?v=-6N73y822dU $ grep pcre vom.trace $ Have to give up and pass this on the basis of a clean install.
Whiteboard: (none) => MGA7-64-OK
Created attachment 11527 [details] Demo script from the pcre man pages $ gcc -o pcredemo -lpcre pcredemo.c AFAIK this is a utility for manipulating regular expressions - requires two arguments, presumably an expression and something to be matched.
Created attachment 11528 [details] Demonstration regex parser using the libpcre library $ gcc -o pcredemo -lpcre pcredemo.c $ ./pcredemo 'regular expression' 'subject string'
Attachment 11527 is obsolete: 0 => 1
After discovering an error in the copy-pasted program after removing all the hidden characters (which involved a bit of research in ruby for a way to eliminate them and then some extra editing) and rediscovering that C expects quotes on strings, the test finally succeeded. Used the simplest example from the link in comment 4. $ ./pcredemo '\d+.\d+.' '66.249.64.13 - - [18/Sep/2004:11:07:48 +1000] "GET /robots.txt HTTP/1.0" 200 468 "-" "Googlebot/2.1"' Match succeeded at offset 0 0: 66.249. No named substrings So this justifies the OK.
Thank you for your diligence, Len. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0124.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2019-20838 was fixed in 8.43, which we already had. CVE-2020-14155 was fixed in 8.44, i.e., in this update: https://ubuntu.com/security/notices/USN-5425-1
Summary: pcre new security issues fixed upstream in 8.44 => pcre new security issues fixed upstream in 8.44 (including CVE-2020-14155)