Debian Package Tracker

general

source: pcre3 (source, libs)
version: 2:8.39-3
maintainer: Matthew Vernon [DMD]
arch: any
std-ver: 3.9.3

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:8.30-5
oldstable: 2:8.35-3.3+deb8u4
stable: 2:8.39-3
testing: 2:8.39-3
unstable: 2:8.39-3

versioned links

1:8.30-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:8.35-3.3+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:8.39-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libpcre16-3
libpcre3
libpcre3-dbg
libpcre3-dev
libpcre3-udeb
libpcre32-3
libpcrecpp0v5
pcregrep

action needed

A new upstream version is available: 8.40

high

A new upstream version 8.40 is available, you should consider packaging it.

Created: 2017-01-17 Last update: 2017-06-29 07:19

lintian reports 2 errors and 11 warnings

high

Lintian reports 2 errors and 11 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2014-07-03 Last update: 2017-02-19 01:05

4 bugs tagged patch in the BTS

normal

The BTS contains patches fixing 4 bugs, consider including or untagging them.

Created: 2017-01-17 Last update: 2017-06-29 07:05

14 ignored security issues in wheezy

low

There are 14 open security issues in wheezy.

14 issues skipped by the security teams:

CVE-2015-8382: The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.
CVE-2015-8394: PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8393: pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.
CVE-2015-8385: PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8391: The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8387: PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8388: PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8390: PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2016-3191: The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.
CVE-2015-2328: PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-5073: Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.
CVE-2015-2327: PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-3217: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.
CVE-2014-8964: Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

Please fix them.

Created: 2015-07-12 Last update: 2017-06-18 08:29

4 ignored security issues in jessie

low

There are 4 open security issues in jessie.

4 issues skipped by the security teams:

TEMP-0827564-93E4E3:
CVE-2017-7186: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.
CVE-2015-3217: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.
CVE-2017-7244: The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.

Please fix them.

Created: 2015-07-12 Last update: 2017-06-18 08:29

Build log checks report 2 warnings

low

Build log checks report 2 warnings

Created: 2014-07-24 Last update: 2014-10-04 06:03

Standards version of the package is outdated.

wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 3.9.8 instead of 3.9.3).

Created: 2014-07-12 Last update: 2017-03-22 06:56

news

[rss feed]

[2017-03-31] pcre3 2:8.39-3 MIGRATED to testing (Debian testing watch)
[2017-03-21] Accepted pcre3 2:8.39-3 (i386 source) into unstable (Matthew Vernon)
[2017-02-28] pcre3 2:8.39-2.1 MIGRATED to testing (Debian testing watch)
[2017-02-17] Accepted pcre3 2:8.39-2.1 (source) into unstable (Salvatore Bonaccorso)
[2016-10-10] Accepted pcre3 2:8.35-3.3+deb8u4~kbsd8u1 (source) into stable-kfreebsd-proposed-updates (Steven Chamberlain)
[2016-08-30] pcre3 2:8.39-2 MIGRATED to testing (Debian testing watch)
[2016-08-19] Accepted pcre3 2:8.39-2 (i386 source) into unstable (Matthew Vernon)
[2016-08-03] pcre3 2:8.39-1 MIGRATED to testing (Debian testing watch)
[2016-07-28] Accepted pcre3 2:8.39-1 (i386 source) into unstable (Matthew Vernon)
[2016-03-28] pcre3 2:8.38-3.1 MIGRATED to testing (Debian testing watch)
[2016-03-26] Accepted pcre3 2:8.35-3.3+deb8u4 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2016-03-25] Accepted pcre3 2:8.35-3.3+deb8u3 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2016-03-23] Accepted pcre3 2:8.38-3.1 (source) into unstable (Salvatore Bonaccorso)
[2016-03-10] pcre3 2:8.38-3 MIGRATED to testing (Debian testing watch)
[2016-02-29] Accepted pcre3 8.02-1.1+deb6u1 (source amd64) into squeeze-lts (Markus Koschany)
[2016-02-28] Accepted pcre3 2:8.38-3 (i386 source) into unstable (Matthew Vernon)
[2016-02-27] Accepted pcre3 2:8.38-2 (i386 source) into unstable (Matthew Vernon)
[2016-01-11] pcre3 2:8.38-1 MIGRATED to testing (Debian testing watch)
[2016-01-10] Accepted pcre3 2:8.35-3.3+deb8u2 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2015-12-22] Accepted pcre3 2:8.38-1 (i386 source) into unstable (Matthew Vernon)
[2015-12-02] pcre3 2:8.35-8 MIGRATED to testing (Britney)
[2015-11-21] Accepted pcre3 2:8.35-8 (i386 source) into unstable (Matthew Vernon)
[2015-11-08] pcre3 2:8.35-7.4 MIGRATED to testing (Britney)
[2015-11-02] Accepted pcre3 2:8.35-7.4 (source amd64) into unstable (John Paul Adrian Glaubitz)
[2015-11-02] Accepted pcre3 2:8.35-7.3 (source amd64) into unstable (John Paul Adrian Glaubitz)
[2015-09-22] pcre3 2:8.35-7.2 MIGRATED to testing (Britney)
[2015-09-18] Accepted pcre3 2:8.35-3.3+deb8u1 (source amd64) into proposed-updates->stable-new, proposed-updates (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2015-09-11] Accepted pcre3 2:8.35-7.2 (source) into unstable (Salvatore Bonaccorso)
[2015-09-07] pcre3 2:8.35-7.1 MIGRATED to testing (Britney)
[2015-08-06] Accepted pcre3 2:8.35-7.1 (source amd64) into unstable, unstable (Matthias Klose)

bugs [bug history graph]

all: 31 33
RC: 0
I&N: 20 22
M&W: 11
F&P: 0

links

lintian (2, 11)
buildd: logs, checks, clang, reproducibility
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2:8.39-3
18 bugs