Your submission was sent successfully! Close

CVE-2014-8964

Published: 16 December 2014

Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

Notes

AuthorNote
seth-arnold
exploiting this requires allowing untrusted input as the regular
expression; that's usually not allowed for performance reasons but the
regex engine shouldn't allow overflows on untrusted inputs.
mdeslaur
reproducer in upstream bug
does not reproduce in precise
Priority

Low

Status

Package Release Status
mariadb-10.0
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream Needs triage

utopic Does not exist

vivid
Released (10.0.20-0ubuntu0.15.04.1)
wily
Released (10.0.20-0ubuntu0.15.04.1)
pcre3
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Not vulnerable
(8.12-4)
trusty
Released (1:8.31-2ubuntu2.1)
upstream Needed

utopic Ignored
(reached end-of-life)
vivid Not vulnerable
(2:8.35-3.3ubuntu1)
wily Not vulnerable
(2:8.35-3.3ubuntu1)
Patches:
upstream: http://www.exim.org/viewvc/pcre2?revision=154&view=revision
upstream: http://vcs.pcre.org/pcre?view=revision&revision=1513
vendor: https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c8