Vulnerabilities > CVE-2015-8394 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2016-F59A8FF5D0.NASL description Update to 8.38 and fix various CVE last seen 2020-06-05 modified 2016-03-04 plugin id 89641 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89641 title Fedora 22 : mingw-pcre-8.38-1.fc22 (2016-f59a8ff5d0) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-f59a8ff5d0. # include("compat.inc"); if (description) { script_id(89641); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3210", "CVE-2015-5073", "CVE-2015-8383", "CVE-2015-8384", "CVE-2015-8385", "CVE-2015-8386", "CVE-2015-8387", "CVE-2015-8388", "CVE-2015-8389", "CVE-2015-8390", "CVE-2015-8391", "CVE-2015-8392", "CVE-2015-8393", "CVE-2015-8394", "CVE-2015-8395"); script_xref(name:"FEDORA", value:"2016-f59a8ff5d0"); script_name(english:"Fedora 22 : mingw-pcre-8.38-1.fc22 (2016-f59a8ff5d0)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 8.38 and fix various CVE's Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1236660" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1237225" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1249905" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1250947" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1256453" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287616" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287626" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287631" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287640" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287648" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287656" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287661" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287668" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287673" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287692" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287698" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287704" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1287720" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177380.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?907fa31f" ); script_set_attribute( attribute:"solution", value:"Update the affected mingw-pcre package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw-pcre"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/02/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"mingw-pcre-8.38-1.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mingw-pcre"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2971-1.NASL description This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed : - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95534 published 2016-12-05 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95534 title SUSE SLED12 / SLES12 Security Update : pcre (SUSE-SU-2016:2971-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:2971-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(95534); script_version("3.7"); script_cvs_date("Date: 2019/09/11 11:22:14"); script_cve_id("CVE-2014-8964", "CVE-2015-2325", "CVE-2015-2327", "CVE-2015-2328", "CVE-2015-3210", "CVE-2015-3217", "CVE-2015-5073", "CVE-2015-8380", "CVE-2015-8381", "CVE-2015-8382", "CVE-2015-8383", "CVE-2015-8384", "CVE-2015-8385", "CVE-2015-8386", "CVE-2015-8387", "CVE-2015-8388", "CVE-2015-8389", "CVE-2015-8390", "CVE-2015-8391", "CVE-2015-8392", "CVE-2015-8393", "CVE-2015-8394", "CVE-2015-8395", "CVE-2016-1283", "CVE-2016-3191"); script_bugtraq_id(71206, 74934, 75018, 75175, 75430); script_name(english:"SUSE SLED12 / SLES12 Security Update : pcre (SUSE-SU-2016:2971-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed : - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=906574" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=924960" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=933288" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=933878" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=936227" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=942865" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=957566" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=957567" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=957598" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=957600" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=960837" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971741" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=972127" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-8964/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-2325/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-2327/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-2328/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3210/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3217/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-5073/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8380/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8381/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8382/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8383/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8384/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8385/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8386/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8387/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8388/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8389/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8390/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8391/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8392/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8393/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8394/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8395/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-1283/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3191/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20162971-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d6d2422d" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1744=1 SUSE Linux Enterprise Workstation Extension 12-SP1:zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1744=1 SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1744=1 SUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1744=1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1744=1 SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1744=1 SUSE Linux Enterprise Server 12-SP1:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1744=1 SUSE Linux Enterprise High Availability 12-SP2:zypper in -t patch SUSE-SLE-HA-12-SP2-2016-1744=1 SUSE Linux Enterprise High Availability 12-SP1:zypper in -t patch SUSE-SLE-HA-12-SP1-2016-1744=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1744=1 SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1744=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpcre1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpcre1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpcre16"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpcre16-0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpcrecpp0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpcrecpp0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:pcre-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/16"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP1/2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"libpcre1-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libpcre1-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libpcre16-0-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libpcre16-0-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"pcre-debugsource-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libpcre1-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libpcre1-debuginfo-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libpcre1-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libpcre1-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libpcre16-0-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libpcre16-0-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"pcre-debugsource-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libpcre1-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libpcre1-debuginfo-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcre1-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcre1-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcre1-debuginfo-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcre1-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcre16-0-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcre16-0-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcrecpp0-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcrecpp0-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcrecpp0-debuginfo-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libpcrecpp0-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"pcre-debugsource-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcre1-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcre1-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcre1-debuginfo-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcre1-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcre16-0-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcre16-0-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcrecpp0-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcrecpp0-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcrecpp0-debuginfo-32bit-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libpcrecpp0-debuginfo-8.39-5.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"pcre-debugsource-8.39-5.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pcre"); }
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_85EB4E46CF1611E5840F485D605F4717.NASL description PHP reports : - Core : - Fixed bug #71039 (exec functions ignore length but look for NULL termination). - Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input). - Fixed bug #71459 (Integer overflow in iptcembed()). - PCRE : - Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394) - Phar : - Fixed bug #71354 (Heap corruption in tar/zip/phar parser). - Fixed bug #71391 (NULL pointer Dereference in phar_tar_setupmetadata()). - Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554) - WDDX : - Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization). last seen 2020-06-01 modified 2020-06-02 plugin id 88671 published 2016-02-10 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88671 title FreeBSD : php -- multiple vulnerabilities (85eb4e46-cf16-11e5-840f-485d605f4717) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3161-1.NASL description This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed : - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95915 published 2016-12-16 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95915 title SUSE SLED12 / SLES12 Security Update : pcre (SUSE-SU-2016:3161-1) NASL family CGI abuses NASL id PHP_5_6_18.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.18. It is, therefore, affected by multiple vulnerabilities : - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394) - A flaw exists in file ext/standard/exec.c in the escapeshellcmd() and escapeshellarg() functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions. - A flaw exists in file ext/standard/streamsfuncs.c in the stream_get_meta_data() function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata. - A type confusion error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact. - A flaw exists in file ext/phar/phar_object.c in the PharFileInfo::getContent() method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. - A NULL pointer dereference flaw exists in file ext/phar/tar.c in the phar_tar_setupmetadata() function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service. - An integer overflow condition exists in file ext/standard/iptc.c in the iptcembed() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. - An overflow condition exists in file ext/phar/tar.c in the phar_parse_tarfile() function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2554) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-03-21 modified 2016-02-11 plugin id 88694 published 2016-02-11 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88694 title PHP 5.6.x < 5.6.18 Multiple Vulnerabilities NASL family Misc. NASL id SECURITYCENTER_PHP_5_6_18.NASL description The Tenable SecurityCenter application installed on the remote host is either prior to version 5.3.0 or is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the Perl-Compatible Regular Expressions (PCRE) library bundled with PHP : - An overflow condition exists in the PCRE library due to improper validation of user-supplied input when handling repeated conditional groups. An attacker can exploit this, via a specially crafted regular expression, to cause a buffer overflow, resulting in a denial of service condition. (CVE-2015-8383) - An overflow condition exists in the PCRE library due to improper validation of user-supplied input when handling mutual recursions within a last seen 2020-06-01 modified 2020-06-02 plugin id 93343 published 2016-09-06 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93343 title Tenable SecurityCenter < 5.3.0 Multiple Vulnerabilities (TNS-2016-04) NASL family CGI abuses NASL id PHP_7_0_3.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.3. It is, therefore, affected by multiple vulnerabilities : - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394) - A flaw exists in file ext/standard/exec.c in the escapeshellcmd() and escapeshellarg() functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions. - A flaw exists in file ext/standard/streamsfuncs.c in the stream_get_meta_data() function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata. - A type confusion error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact. - A flaw exists in file ext/phar/phar_object.c in the PharFileInfo::getContent() method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. - A NULL pointer dereference flaw exists in file ext/phar/tar.c in the phar_tar_setupmetadata() function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service. - An integer overflow condition exists in file ext/standard/iptc.c in the iptcembed() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. - An overflow condition exists in file ext/phar/tar.c in the phar_parse_tarfile() function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2554) - An uninitialized pointer flaw exists in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 88695 published 2016-02-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88695 title PHP 7.0.x < 7.0.3 Multiple Vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201607-02.NASL description The remote host is affected by the vulnerability described in GLSA-201607-02 (libpcre: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in libpcre. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 91983 published 2016-07-11 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91983 title GLSA-201607-02 : libpcre: Multiple Vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2943-1.NASL description It was discovered that PCRE incorrectly handled certain regular expressions. A remote attacker could use this issue to cause applications using PCRE to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90306 published 2016-04-01 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90306 title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : pcre3 vulnerabilities (USN-2943-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1558.NASL description According to the versions of the pcre packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-2328) - PCRE before 8.38 mishandles the : and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8390) - Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.(CVE-2015-5073) - PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8387) - The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \\01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8380) - The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.(CVE-2016-3191) - The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain : nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8391) - PCRE before 8.36 mishandles the /(((a\\2)|(a*)\\gi1/4oe-1i1/4z))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-2327) - PCRE before 8.38 mishandles the (?(i1/4oedigitsi1/4z) and (?(Ri1/4oedigitsi1/4z) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8394) - PCRE before 8.38 mishandles the /(?=di(?i1/4oe=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8388) - PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8386) - PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|(^\\\\\\\\W_)?)+)+$/.(CVE-2015-3217) - PCRE before 8.38 mishandles the /(?|(\\k last seen 2020-03-19 modified 2019-05-15 plugin id 125102 published 2019-05-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125102 title EulerOS Virtualization 3.0.1.0 : pcre (EulerOS-SA-2019-1558) NASL family CGI abuses NASL id PHP_5_5_32.NASL description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.32. It is, therefore, affected by multiple vulnerabilities : - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394) - A flaw exists in file ext/standard/exec.c in the escapeshellcmd() and escapeshellarg() functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions. - A flaw exists in file ext/standard/streamsfuncs.c in the stream_get_meta_data() function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata. - A type confusion error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact. - A flaw exists in file ext/phar/phar_object.c in the PharFileInfo::getContent() method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. - A NULL pointer dereference flaw exists in file ext/phar/tar.c in the phar_tar_setupmetadata() function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service. - An integer overflow condition exists in file ext/standard/iptc.c in the iptcembed() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. - An overflow condition exists in file ext/phar/tar.c in the phar_parse_tarfile() function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2554) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 88693 published 2016-02-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88693 title PHP 5.5.x < 5.5.32 Multiple Vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1167.NASL description According to the versions of the pcre packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \\01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8380) - PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8387) - PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8390) - PCRE before 8.38 mishandles the (?(digits) and (?(R digits) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8394) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-06-28 plugin id 110743 published 2018-06-28 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110743 title EulerOS 2.0 SP3 : pcre (EulerOS-SA-2018-1167) NASL family Fedora Local Security Checks NASL id FEDORA_2015-EB896290D3.NASL description This release fixes these vulnerabilies: CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394. It also fixes compiling comments with auto-callouts, compiling expressions with negated classes in UCP mode, compiling expressions with an isolated \E between an item and its qualifier with auto-callouts, a crash in regexec() if REG_STARTEND option is set and pmatch argument is NULL, a stack overflow when formatting a 32-bit integer in pcregrep tool, compiling expressions with an empty \Q\E sequence between an item and its qualifier with auto-callouts, compiling expressions with global extended modifier that is disabled by local no-extended option at the start of the expression just after a whitespace, a possible crash in pcre_copy_named_substring() if a named substring has number greater than the space in the ovector, a buffer overflow when compiling an expression with named groups with a group that reset capture numbers, and a crash in pcre_get_substring_list() if the use of \K caused the start of the match to be earlier than the end. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89447 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89447 title Fedora 22 : pcre-8.38-1.fc22 (2015-eb896290d3) NASL family Fedora Local Security Checks NASL id FEDORA_2016-FD1199DBE2.NASL description Update to 8.38 and fix various CVE last seen 2020-06-05 modified 2016-03-04 plugin id 89647 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89647 title Fedora 23 : mingw-pcre-8.38-1.fc23 (2016-fd1199dbe2) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1448.NASL description This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed : - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed : - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-12-13 plugin id 95754 published 2016-12-13 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95754 title openSUSE Security Update : pcre (openSUSE-2016-1448) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL20225390.NASL description CVE-2015-8395 PCRE before 8.38 mishandles certain references, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and CVE-2015-8392. CVE-2015-8394 PCRE before 8.38 mishandles the (?() and (?(R) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8392 PCRE before 8.38 mishandles certain instances of the (?| substring, which allows remote attackers to cause a denial of service (unintended recursion and buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and CVE-2015-8395. CVE-2015-8391 The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8390 PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8389 PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8388 PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8387 PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8386 PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2015-8385 PCRE before 8.38 mishandles the /(?|(\k last seen 2020-06-01 modified 2020-06-02 plugin id 92667 published 2016-08-02 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92667 title F5 Networks BIG-IP : Multiple PCRE vulnerabilities (K20225390) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1733.NASL description According to the versions of the pcre packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \\01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8380) - PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8387) - PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8390) - PCRE before 8.38 mishandles the (?(digits) and (?(R digits) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.(CVE-2015-8394) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-07-22 plugin id 126860 published 2019-07-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126860 title EulerOS 2.0 SP2 : pcre (EulerOS-SA-2019-1733)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.securityfocus.com/bid/82990
- http://www.securityfocus.com/bid/82990
- https://bto.bluecoat.com/security-advisory/sa128
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
- https://security.netapp.com/advisory/ntap-20230216-0002/