[security-announce] libpcre: Upgrade to libpcre_8.38 to address multiple CVEs: Security Update

Sona Sarmadi sona.sarmadi at enea.com
Thu Mar 24 08:25:30 CET 2016


	Enea Linux Security Advisory

=========================================================
Product/package: libpcre_8.35 -> libpcre_8.38/Enea Linux 5.0
Severity: Medium
CVE Name: See below
Layer: meta
=========================================================

The security update (libpcre_8.35 upgrade to libpcre_8.38) addresses the
following vulnerabilities:

CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() /
compile_regex()
CVE-2015-3217 pcre: stack overflow in match()
CVE-2015-5073 CVE-2015-8388 pcre: Buffer overflow caused by certain
patterns with an unmatched closing parenthesis
CVE-2015-8380 pcre: Heap-based buffer overflow in pcre_exec
CVE-2015-8381 pcre: Heap Overflow in compile_regex()
CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group
CVE-2015-8384 pcre: Buffer overflow caused by recursive back reference
by name within certain group
CVE-2015-8385 pcre: Buffer overflow caused by forward reference by name
to certain group
CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion
CVE-2015-8387 pcre: Integer overflow in subroutine calls
CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing
certain patterns
CVE-2015-8390 pcre: Reading from uninitialized memory when processing
certain patterns
CVE-2015-8392 pcre: Buffer overflow caused by certain patterns with
duplicated named groups
CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted
binary
CVE-2015-8394 pcre: Integer overflow caused by missing check for certain
conditions
CVE-2015-8395 pcre: Buffer overflow caused by certain references
CVE-2016-1283 pcre: Heap buffer overflow in pcre_compile2 causes DoS


References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3210
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=jethro&id=049be17b533d7c592dae8e0f33ddbae54639a776


Reference to upstream changelog:
http://www.pcre.org/original/changelog.txt

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/commit/?h=dizzy&id=8aa66d3b1a976786c4f794e76f8386dc7f2667e5

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160324/1b711f16/attachment-0002.sig>


More information about the security-announce mailing list