CVE-2016-3191

Priority
Description
The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and
pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an
(*ACCEPT) substring in conjunction with nested parentheses, which allows
remote attackers to execute arbitrary code or cause a denial of service
(stack-based buffer overflow) via a crafted regular expression, as
demonstrated by a JavaScript RegExp object encountered by Konqueror, aka
ZDI-CAN-3542.
Notes
mdeslaurapply-upstream-revision-1631-closes-8159 in unstable
doesn't reproduce on precise
Package
Source: pcre2 (LP Ubuntu Debian)
Upstream:released (10.21-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (10.21-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (10.31-2)
Patches:
Upstream:http://vcs.pcre.org/pcre2?view=revision&revision=489
Package
Source: pcre3 (LP Ubuntu Debian)
Upstream:released (2:8.38-2)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 ESM (Trusty Tahr):released (1:8.31-2ubuntu2.2)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2:8.38-3)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2:8.38-3)
Patches:
Upstream:http://vcs.pcre.org/pcre?view=revision&revision=1631
More Information

Updated: 2020-09-10 05:09:35 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)