The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of PCRE: multiple vulnerabilities

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of PCRE.
Vulnerable products: Blue Coat CAS, ProxySG par Blue Coat, SGOS by Blue Coat, BIG-IP Hardware, TMOS, Fedora, openSUSE Leap, RHEL, Nessus, Ubuntu, Unix (platform) ~ not comprehensive.
Severity of this weakness: 2/4.
Number of vulnerabilities in this bulletin: 14.
Creation date: 02/12/2015.
Références of this bulletin: CERTFR-2018-AVI-288, CVE-2015-8382, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8392, CVE-2015-8393, CVE-2015-8394, CVE-2015-8395, FEDORA-2015-eb896290d3, FEDORA-2016-f59a8ff5d0, FEDORA-2016-fd1199dbe2, K05428062, K20225390, openSUSE-SU-2016:3099-1, RHSA-2016:1025-01, RHSA-2016:1132-01, RHSA-2016:2750-01, SA128, SOL05428062, SOL20225390, TNS-2018-08, USN-2943-1, VIGILANCE-VUL-18414.

Description of the vulnerability 

Several vulnerabilities were announced in PCRE.

An attacker can force a read at an invalid address in pcre_exec.c, in order to trigger a denial of service. [severity:1/4; CVE-2015-8382]

An attacker can generate a buffer overflow in conditional groups, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-8383]

An attacker can generate an infinite loop in Recursive Back References, in order to trigger a denial of service. [severity:1/4; CVE-2015-8384]

An attacker can generate a buffer overflow in Forward References, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-8385]

An attacker can generate a buffer overflow in Lookbehind Assertions, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-8386]

An attacker can generate an integer overflow in Subroutine Calls, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-8387]

An attacker can generate a buffer overflow in Unmatched Closing Parenthesis, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-8388]

An attacker can generate an infinite loop, in order to trigger a denial of service. [severity:1/4; CVE-2015-8389]

An attacker can force a read at an invalid address in Character Classes, in order to trigger a denial of service. [severity:1/4; CVE-2015-8390]

An attacker can generate an infinite loop in pcre_compile, in order to trigger a denial of service. [severity:1/4; CVE-2015-8391]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-8392]

An attacker can bypass security features with the -q option, in order to obtain sensitive information. [severity:2/4; CVE-2015-8393]

An attacker can generate an integer overflow in Conditions, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-8394]

An attacker can trigger a fatal error in References, in order to trigger a denial of service. [severity:1/4; CVE-2015-8395]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity threat impacts software or systems such as Blue Coat CAS, ProxySG par Blue Coat, SGOS by Blue Coat, BIG-IP Hardware, TMOS, Fedora, openSUSE Leap, RHEL, Nessus, Ubuntu, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this computer threat note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 14 vulnerabilities.

An attacker with a expert ability can exploit this security threat.

Solutions for this threat 

PCRE: version 8.38.
The version 8.38 is fixed:
  ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/

Blue Coat ProxySG: versions 6.5.9.11 and 6.6.5.1.
Versions 6.5.9.11 and 6.6.5.1 are fixed.

F5 BIG-IP: solution for PCRE.
The solution is indicated in information sources.

Fedora 22: new pcre packages.
New packages are available:
  Fedora 22: pcre 8.38-1.fc22

Fedora: new mingw-pcre packages.
New packages are available:
  Fedora 22: mingw-pcre 8.38-1.fc22
  Fedora 23: mingw-pcre 8.38-1.fc23

Nessus: version 7.1.1.
The version 7.1.1 is fixed:
  https://www.tenable.com/downloads/nessus

openSUSE Leap: new pcre packages.
New packages are available:
  openSUSE Leap 42.2: libpcre1 8.39-6.1
  openSUSE Leap 42.1: libpcre1 8.39-5.1

RHEL 7.2: new pcre packages.
New packages are available:
  RHEL 7: pcre 8.32-15.el7_2.1

RHEL: new rh-mariadb100-mariadb packages.
New packages are available:
  RHEL 6: rh-mariadb100-mariadb 10.0.25-4.el6
  RHEL 7: rh-mariadb100-mariadb 10.0.25-4.el7

RHEL: new rh-php56 packages.
New packages are available:
  RHEL 6: rh-php56 2.3-1.el6
  RHEL 7: rh-php56 2.3-1.el7

Ubuntu: new libpcre3 packages (30/03/2016).
New packages are available:
  Ubuntu 15.10: libpcre3 2:8.35-7.1ubuntu1.3
  Ubuntu 14.04 LTS: libpcre3 1:8.31-2ubuntu2.2
  Ubuntu 12.04 LTS: libpcre3 8.12-4ubuntu0.2
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities workaround. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.