[Secure-testing-commits] r38062 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Wed Dec 2 21:16:45 UTC 2015


Author: carnil
Date: 2015-12-02 21:16:45 +0000 (Wed, 02 Dec 2015)
New Revision: 38062

Modified:
   data/CVE/list
Log:
Update information for CVE-2015-8386/pcre3

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-12-02 21:10:16 UTC (rev 38061)
+++ data/CVE/list	2015-12-02 21:16:45 UTC (rev 38062)
@@ -6965,10 +6965,14 @@
 	TODO: check
 CVE-2015-8386 (PCRE before 8.38 mishandles the interaction of lookbehind assertions ...)
 	- pcre3 <unfixed>
+	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[wheezy] - pcre3 <not-affected> (Vulnerable code introduced later)
+	[squeeze] - pcre3 <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed in 8.38
-	NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1560
-	TODO: check
-CVE-2015-8385 (PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and ...)
+	NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1560
+	NOTE: Reproducer fails starting from at least http://vcs.pcre.org/pcre?view=revision&revision=1379
+	NOTE: but the patched code is as well already present in wheezy at least.
+CVE-2015-8385 [mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references]
 	- pcre3 <unfixed>
 	[jessie] - pcre3 <no-dsa> (Minor issue)
 	[wheezy] - pcre3 <no-dsa> (Minor issue)




More information about the Secure-testing-commits mailing list