CVE-2016-3191 (retired)

Priority
Description
The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and
pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an
(*ACCEPT) substring in conjunction with nested parentheses, which allows
remote attackers to execute arbitrary code or cause a denial of service
(stack-based buffer overflow) via a crafted regular expression, as
demonstrated by a JavaScript RegExp object encountered by Konqueror, aka
ZDI-CAN-3542.
Notes
mdeslaurapply-upstream-revision-1631-closes-8159 in unstable
doesn't reproduce on precise
Package
Source: pcre2 (LP Ubuntu Debian)
Upstream:released (10.21-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (10.21-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (10.31-2)
Ubuntu 19.04 (Disco Dingo):not-affected (10.32-4)
Patches:
Upstream:http://vcs.pcre.org/pcre2?view=revision&revision=489
Package
Source: pcre3 (LP Ubuntu Debian)
Upstream:released (2:8.38-2)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2:8.38-3)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2:8.38-3)
Ubuntu 19.04 (Disco Dingo):not-affected (2:8.38-3)
Patches:
Upstream:http://vcs.pcre.org/pcre?view=revision&revision=1631
More Information

Updated: 2019-10-09 07:56:00 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)