CVE-2016-3191 (retired)

Priority
Description
The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and
pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an
(*ACCEPT) substring in conjunction with nested parentheses, which allows
remote attackers to execute arbitrary code or cause a denial of service
(stack-based buffer overflow) via a crafted regular expression, as
demonstrated by a JavaScript RegExp object encountered by Konqueror, aka
ZDI-CAN-3542.
Notes
 mdeslaur> apply-upstream-revision-1631-closes-8159 in unstable
 mdeslaur> doesn't reproduce on precise
Package
Source: pcre2 (LP Ubuntu Debian)
Upstream:released (10.21-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (10.21-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (10.31-2)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (10.31-3)
Ubuntu 19.04 (Disco Dingo):not-affected (10.32-4)
Patches:
Upstream:http://vcs.pcre.org/pcre2?view=revision&revision=489
Package
Source: pcre3 (LP Ubuntu Debian)
Upstream:released (2:8.38-2)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 LTS (Trusty Tahr):released (1:8.31-2ubuntu2.2)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2:8.38-3)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2:8.38-3)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (2:8.38-3)
Ubuntu 19.04 (Disco Dingo):not-affected (2:8.38-3)
Patches:
Upstream:http://vcs.pcre.org/pcre?view=revision&revision=1631
More Information

Updated: 2019-03-26 12:19:52 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)