CVE-2014-8964

Published: 16 December 2014

Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

Priority

Low

Status

Package Release Status
mariadb-10.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

pcre3
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 14.04 ESM (Trusty Tahr)
Released (1:8.31-2ubuntu2.1)
Patches:
Upstream: http://www.exim.org/viewvc/pcre2?revision=154&view=revision
Upstream: http://vcs.pcre.org/pcre?view=revision&revision=1513
Vendor: https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c8

Notes

AuthorNote
seth-arnold
exploiting this requires allowing untrusted input as the regular
expression; that's usually not allowed for performance reasons but the
regex engine shouldn't allow overflows on untrusted inputs.
mdeslaur
reproducer in upstream bug
does not reproduce in precise

References

Bugs