Format: 1.8 Date: Fri, 27 Jan 2017 15:16:02 -0600 Source: pcre3 Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep Architecture: source Version: 2:8.35-3.3ubuntu1.3 Distribution: vivid-security Urgency: medium Maintainer: Ubuntu Developers Changed-By: Emily Ratliff Description: libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb) libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files pcregrep - grep utility that uses perl 5 compatible regexes. Changes: pcre3 (2:8.35-3.3ubuntu1.3) vivid-security; urgency=medium . * SECURITY UPDATE: fix multiple security issues by applying patches from Debian jessie package: - 0001-Fix-compile-time-loop-for-recursive-reference-within.patch - 794589-information-disclosure.patch - 0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch - 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch - 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch - 0001-Add-integer-overflow-check-to-n-code.patch - 0001-Fix-overflow-when-ovector-has-size-1.patch - 0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch - 0001-Fix-bug-for-classes-containing-sequences.patch - 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch - 0001-Fix-buffer-overflow-for-named-references-in-situatio.patch - 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch - 0001-Add-missing-integer-overflow-checks.patch - 0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch - debian/patches/fix_test11.patch: fix test failure caused by 0001-Fix-buffer-overflow-for-named-references-in-situatio.patch. - debian/patches/fix_typo_in_jit.patch: fix typo in commit in 0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch. - CVE-2015-2327, CVE-2015-2328, CVE-2015-8380, CVE-2015-8381, CVE-2015-8382, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8392, CVE-2015-8393, CVE-2015-8394, CVE-2015-8395 * SECURITY UPDATE: denial of service and possible code execution via crafted regular expression - debian/patches/CVE-2016-1283.patch: fix another duplicate name issue in pcre_compile.c, add tests to testdata/testinput2, testdata/testoutput2. - CVE-2016-1283 * SECURITY UPDATE: denial of service via pattern containing (*ACCEPT) substring with nested parantheses - debian/patches/apply-upstream-revision-1631-closes-8159: fix workspace overflow for (*ACCEPT) with deeply nested parentheses in pcreposix.c, pcre_compile.c, pcre_internal.h, add tests to testdata/testoutput11-8, testdata/testoutput11-16, testdata/testinput11, testdata/testoutput11-32. - CVE-2016-3191 * SECURITY UPDATE: nested alternatives segfault when JIT is used - debian/patches/CVE-2014-9769.patch: fixed issue with nested table jumps in pcre_jit_compile.c, added test to testdata/testinput1, testdata/testoutput1. - CVE-2014-9769 Checksums-Sha1: 689e899583df7a32412ac3dfcfefb100582a9c77 2070 pcre3_8.35-3.3ubuntu1.3.dsc 7dc7bee43a83b3d07f73fff8b206bd6c04dee13b 42941 pcre3_8.35-3.3ubuntu1.3.debian.tar.gz Checksums-Sha256: 72eb851a7f01881ca88e182124a51ca1a77c6e04ae31b4c1913ea86fb5c68244 2070 pcre3_8.35-3.3ubuntu1.3.dsc 04d684a8eb5e5ab029123a3b05e76084181038cfb46e3154791f94ba2672f8ca 42941 pcre3_8.35-3.3ubuntu1.3.debian.tar.gz Files: 81fea4e65ad410db4ed9c8221b568324 2070 libs optional pcre3_8.35-3.3ubuntu1.3.dsc bae72eb6bd87478ed8a796d3d3c8833a 42941 libs optional pcre3_8.35-3.3ubuntu1.3.debian.tar.gz Original-Maintainer: Mark Baker