[SECURITY] Fedora 22 Update: pcre-8.38-1.fc22

updates at fedoraproject.org updates at fedoraproject.org
Mon Jan 4 19:59:47 UTC 2016

Fedora Update Notification
2016-01-04 16:02:44.028960

Name        : pcre
Product     : Fedora 22
Version     : 8.38
Release     : 1.fc22
URL         : http://www.pcre.org/
Summary     : Perl-compatible regular expression library
Description :
Perl-compatible regular expression library.
PCRE has its own native API, but a set of "wrapper" functions that are based on
the POSIX API are also supplied in the library libpcreposix. Note that this
just provides a POSIX calling interface to PCRE: the regular expressions
themselves still follow Perl syntax and semantics. The header file
for the POSIX-style functions is called pcreposix.h.

Update Information:

This release fixes these vulnerabilies: CVE-2015-8383, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393,
CVE-2015-8394. It also fixes compiling comments with auto-callouts, compiling
expressions with negated classes in UCP mode, compiling expressions with an
isolated \E between an item and its qualifier with auto-callouts, a crash in
regexec() if REG_STARTEND option is set and pmatch argument is NULL, a stack
overflow when formatting a 32-bit integer in pcregrep tool, compiling
expressions with an empty \Q\E sequence between an item and its qualifier with
auto-callouts, compiling expressions with global extended modifier that is
disabled by local no-extended option at the start of the expression just after a
whitespace, a possible crash in pcre_copy_named_substring() if a named substring
has number greater than the space in the ovector, a buffer overflow when
compiling an expression with named groups with a group that reset capture
numbers, and a crash in pcre_get_substring_list() if the use of \K caused the
start of the match to be earlier than the end.

  [ 1 ] Bug #1287614 - CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group
  [ 2 ] Bug #1287636 - CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion
  [ 3 ] Bug #1287646 - CVE-2015-8387 pcre: Integer overflow in subroutine calls
  [ 4 ] Bug #1287659 - CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns
  [ 5 ] Bug #1287666 - CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns
  [ 6 ] Bug #1287671 - CVE-2015-8391 pcre: Some pathological patterns causes pcre_compile() to run for a very long time
  [ 7 ] Bug #1287695 - CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary
  [ 8 ] Bug #1287702 - CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions

This update can be installed with the "yum" update program. Use
su -c 'yum update pcre' at the command line.
For more information, refer to "Managing Software with yum",
available at https://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list