1
PublicDateAtUSN: 2014-12-16
2
Candidate: CVE-2014-8964
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964
6
https://usn.ubuntu.com/usn/usn-2694-1
8
Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers
9
to cause a denial of service (crash) or have other unspecified impact via a
10
crafted regular expression, related to an assertion that allows zero
14
sarnold> exploiting this requires allowing untrusted input as the regular
15
expression; that's usually not allowed for performance reasons but the
16
regex engine shouldn't allow overflows on untrusted inputs.
17
mdeslaur> reproducer in upstream bug
18
mdeslaur> does not reproduce in precise
20
http://bugs.exim.org/show_bug.cgi?id=1546
21
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770478
22
https://bugs.launchpad.net/ubuntu/+source/pcre3/+bug/1396768
24
Discovered-by: Michele Spagnuolo
28
upstream: http://www.exim.org/viewvc/pcre2?revision=154&view=revision
29
upstream: http://vcs.pcre.org/pcre?view=revision&revision=1513
30
vendor: https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c8
31
upstream_pcre3: needed
32
lucid_pcre3: ignored (reached end-of-life)
33
precise_pcre3: not-affected (8.12-4)
34
trusty_pcre3: released (1:8.31-2ubuntu2.1)
35
utopic_pcre3: ignored (reached end-of-life)
36
vivid_pcre3: not-affected (2:8.35-3.3ubuntu1)
37
wily_pcre3: not-affected (2:8.35-3.3ubuntu1)
38
devel_pcre3: not-affected (2:8.35-3.3ubuntu1)
41
upstream_mariadb-10.0: needs-triage
42
precise_mariadb-10.0: DNE
43
trusty_mariadb-10.0: DNE
44
utopic_mariadb-10.0: DNE
45
vivid_mariadb-10.0: released (10.0.20-0ubuntu0.15.04.1)
46
wily_mariadb-10.0: released (10.0.20-0ubuntu0.15.04.1)
47
devel_mariadb-10.0: not-affected (10.0.22-0ubuntu1)
48
vivid/stable-phone-overlay_pcre3: released (2:8.35-3.3ubuntu1.1)
49
vivid/ubuntu-core_pcre3: released (2:8.35-3.3ubuntu1.1)