CVE-2016-1283

2016-01-02T00:00:00
ID UB:CVE-2016-1283
Type ubuntucve
Reporter ubuntu.com
Modified 2016-01-02T00:00:00

Description

The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'){97)?J)?J)(?'R'(?'R'){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Bugs

  • <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809706>
  • <https://bugs.exim.org/show_bug.cgi?id=1767>

Notes

Author| Note
---|---
mdeslaur | introduced in 8.34
ebarretto | pcre2 not affected as vulnerable code is not present