CVE-2015-2325

Priority
Description
The compile_branch function in PCRE before 8.37 allows context-dependent
attackers to compile incorrect code, cause a denial of service
(out-of-bounds heap read and crash), or possibly have other unspecified
impact via a regular expression with a group containing a forward reference
repeated a large number of times within a repeated outer group that has a
zero minimum quantifier.
Assigned-to
mdeslaur
Notes
tyhicksUnable to trigger the overflow in Vivid, Utopic, or Trusty.
sarnoldseyeongkim reports that he was able to reproduce the issue
on vivid and wily
mdeslaurvalgrind does show an invalid read, even if it doesn't end in
a crash
can't reproduce on precise

was supposed to be fixed in wily (2:8.35-7ubuntu2) but got
reverted in (2:8.35-7ubuntu5) by mistake

CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
in jessie
Package
Source: pcre3 (LP Ubuntu Debian)
Upstream:needed
Ubuntu 14.04 ESM (Trusty Tahr):released (1:8.31-2ubuntu2.1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2:8.38-3)
Patches:
Upstream:http://vcs.pcre.org/pcre?view=revision&revision=1528
More Information

Updated: 2020-09-10 04:40:11 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)