pcre3 - arbitrary code execution

Tavis Ormandy of the Google Security Team has discovered several
security issues in PCRE, the Perl-Compatible Regular Expression library,
which potentially allow attackers to execute arbitrary code by compiling
specially crafted regular expressions.

Version 7.0 of the PCRE library featured a major rewrite of the regular
expression compiler, and it was deemed infeasible to backport the
security fixes in version 7.3 to the versions in Debian’s stable and
oldstable distributions (6.7 and 4.5, respectively). Therefore, this
update is based on version 7.4 (which includes the security bug fixes of
the 7.3 version, plus several regression fixes), with special patches to
improve the compatibility with the older versions. As a result, extra
care is necessary when applying this update.

The Common Vulnerabilities and Exposures project identifies the
following problems:

• CVE-2007-1659

Unmatched \Q\E sequences with orphan \E codes can cause the compiled
regex to become desynchronized, resulting in corrupt bytecode that may
result in multiple exploitable conditions.

• CVE-2007-1660

Multiple forms of character classes had their sizes miscalculated on
initial passes, resulting in too little memory being allocated.

• CVE-2007-1661

Multiple patterns of the form \X?\d or \P{L}?\d in non-UTF-8 mode
could backtrack before the start of the string, possibly leaking
information from the address space, or causing a crash by reading out
of bounds.

• CVE-2007-1662

A number of routines can be fooled into reading past the end of a
string looking for unmatched parentheses or brackets, resulting in a
denial of service.

• CVE-2007-4766

Multiple integer overflows in the processing of escape sequences could
result in heap overflows or out of bounds reads/writes.

• CVE-2007-4767

Multiple infinite loops and heap overflows were discovered in the
handling of \P and \P{x} sequences, where the length of these
non-standard operations was mishandled.

• CVE-2007-4768

Character classes containing a lone unicode sequence were incorrectly
optimised, resulting in a heap overflow.

For the old stable distribution (sarge), these problems have been fixed in
version 4.5+7.4-1.

For the stable distribution (etch), these problems have been fixed in
version 6.7+7.4-2.

For the unstable distribution (sid), these problems have been fixed in
version 7.3-1.