CVE-2014-8964
Published: 16 December 2014
Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.
Notes
| Author | Note |
|---|---|
| seth-arnold | exploiting this requires allowing untrusted input as the regular expression; that's usually not allowed for performance reasons but the regex engine shouldn't allow overflows on untrusted inputs. |
| mdeslaur | reproducer in upstream bug does not reproduce in precise |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
mariadb-10.0 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| utopic |
Does not exist
|
|
| vivid |
Released
(10.0.20-0ubuntu0.15.04.1)
|
|
| wily |
Released
(10.0.20-0ubuntu0.15.04.1)
|
|
|
pcre3 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
| precise |
Not vulnerable
(8.12-4)
|
|
| trusty |
Released
(1:8.31-2ubuntu2.1)
|
|
| upstream |
Needed
|
|
| utopic |
Ignored
(end of life)
|
|
| vivid |
Not vulnerable
(2:8.35-3.3ubuntu1)
|
|
| wily |
Not vulnerable
(2:8.35-3.3ubuntu1)
|
|
|
Patches: upstream: http://www.exim.org/viewvc/pcre2?revision=154&view=revision upstream: http://vcs.pcre.org/pcre?view=revision&revision=1513 vendor: https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c8 |
||