-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 29 Dec 2015 09:19:11 +0100 Source: pcre3 Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep Architecture: source Version: 2:8.35-3.3+deb8u2 Distribution: jessie Urgency: medium Maintainer: Mark Baker <mark@mnb.org.uk> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 794589 796762 806467 Description: libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb) libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files pcregrep - grep utility that uses perl 5 compatible regexes. Changes: pcre3 (2:8.35-3.3+deb8u2) jessie; urgency=medium . * Non-maintainer upload. * Add additional CVE references and bug closer to previous changelog. CVE-2015-2327 fix was included in the previous 2:8.35-3.3+deb8u1 upload. CVE-2015-8384 different issue than CVE-2015-3210 but fixed with same commit. CVE-2015-8388 different issue than CVE-2015-5073 but fixed with same commit. Add bug closer to bugs in the BTS retrospectively. * Add 0001-Fix-compile-time-loop-for-recursive-reference-within.patch. CVE-2015-2328: Stack-based buffer overflow in compile_regex(). * Add 794589-information-disclosure.patch. CVE-2015-8382: Fix "pcre_exec does not fill offsets for certain regexps" leading to information disclosure. (Closes: #794589) * Add 0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch. CVE-2015-8383: Buffer overflow caused by repeated conditional group. * Add 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch. CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group. * Add 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch. CVE-2015-8386: Buffer overflow caused by lookbehind assertion. * Add 0001-Add-integer-overflow-check-to-n-code.patch. CVE-2015-8387: Integer overflow in subroutine calls. * Add 0001-Fix-overflow-when-ovector-has-size-1.patch. CVE-2015-8380: Heap-based buffer overflow in pcre_exec. (Closes: #806467) * Add 0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch. CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns. * Add 0001-Fix-bug-for-classes-containing-sequences.patch. CVE-2015-8390: Reading from uninitialized memory when processing certain patterns. * Add 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch. CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time. * Add 0001-Fix-buffer-overflow-for-named-references-in-situatio.patch. CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups. * Add 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch. CVE-2015-8393: Information leak when running pcgrep -q on crafted binary. * Add 0001-Add-missing-integer-overflow-checks.patch. CVE-2015-8394: Integer overflow caused by missing check for certain conditions. * Add 0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch. CVE-2015-8381: Heap Overflow in compile_regex(). CVE-2015-8395: Buffer overflow caused by certain references. (Closes: #796762) Checksums-Sha1: 46e3a6b8646182fbad5e5f3419ecf73b79fe9c4f 1985 pcre3_8.35-3.3+deb8u2.dsc c5ed968e38eeb8c7f03c5f8bddc2fe8cc16d7d96 34594 pcre3_8.35-3.3+deb8u2.debian.tar.gz Checksums-Sha256: 59b440caac5376cb4df1617b4c9a7b4c3ec9d34dd79e222fd041e1cb6157fd17 1985 pcre3_8.35-3.3+deb8u2.dsc e44841b424bac5d292151ba9d4e2a56246064e506f18cc28422dd1f0c47d3095 34594 pcre3_8.35-3.3+deb8u2.debian.tar.gz Files: ae29c623917e8d59b0f779409756fadd 1985 libs optional pcre3_8.35-3.3+deb8u2.dsc 61d2cba984bae7f3c321b9a6e939120c 34594 libs optional pcre3_8.35-3.3+deb8u2.debian.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWkqhwAAoJEAVMuPMTQ89EsC8P/1hc2tEuRKNnql1FsxmIWfQ9 uNfNXXwhFTzdk/r63siZ2Vmy/7SKZ94IF6oApBZa3mMEcxMtSmMClDerP0AxvVa0 mPl7jaVSbWHvl0D4SsgkjK8LhnjH/ttyveAACa4cdi1sxd5foQjPKTzOMEaPugfa DDxbMFpwtilbC5Dm3jnNuv3MCSZO4+9VglPin1pSF5t9AVmoYuVihJrHKaIJZD5I iLKSiI3RLF6T+zQvjEZWE4kgpnncqVPaTob7/4Xu8Jab+B0gVV3NBkZhpUQaOTy/ yU11UmHSYDa1IiBj40pZyjMpQhk+3Smdf+6YpRVVCKwcvo5KxitLZC/O/dRw+XKu CCaLCkUNmm19efAzajJcK+62FnC6N2V6X/LVPisDsxXSbIIibOmLnGVqgqENuYhE tLhpRzLQwBya/Ng4MPweY6SyU0BCz2pH0HoTF92qBYxEkV8YNI0j4IQAtzt2vZbi Xsu8HFw27rXSMwzDEcAhezhOCctJX2pSX1WuSxCuSY/nDuLsjNF96DLLxngQwEQh R+1dP0dfTJ2bJHUuD5eiQWAmyHgzlDeN4JceHCo7sFeopjg7jW1Hbnfe0gnHYmoN QjBZxPzp60IKQs7VDHH1GafTQr7tjD+PsIn8oBONUsYeK25xW84+Htd8D9WPwqkE Erj1CzKltjiVO8LYy/hN =1Tw6 -----END PGP SIGNATURE-----