SB2015121409 - Fedora 22 update for pcre

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2015121409

SB2015121409 - Fedora 22 update for pcre

Published: December 14, 2015 Updated: June 28, 2025

Security Bulletin ID SB2015121409
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 63% Medium 38%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Buffer overflow (CVE-ID: CVE-2015-8383)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles certain repeated conditional groups. A remote attacker can cause a denial of service (buffer overflow) or possibly have an unspecified other impact via a crafted regular expression.


2) Buffer overflow (CVE-ID: CVE-2015-8386)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing regular expressions. A remote attacker can trigger memory corruption using a JavaScript RegExp object and execute arbitrary code on the target system.


3) Integer overflow (CVE-ID: CVE-2015-8387)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles (?123) subroutine calls and related subroutine calls. A remote attacker can cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression.


4) Buffer overflow (CVE-ID: CVE-2015-8389)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.


5) Use of uninitialized resource (CVE-ID: CVE-2015-8390)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources when processing the [: and \ substrings in character classes. A remote attacker can pass specially crafted data to the application, trigger uninitialized usage of resources and bypass implemented security mechanisms.


6) Buffer overflow (CVE-ID: CVE-2015-8391)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due pcre_compile function in pcre_compile.c in PCRE mishandles certain [: nesting. A remote attacker can cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression.


7) Information disclosure (CVE-ID: CVE-2015-8393)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to pcregrep in PCRE mishandles the -q option for binary files. A remote attacker can gain unauthorized access to sensitive information on the system.


8) Integer overflow (CVE-ID: CVE-2015-8394)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when processing the (?() and (?(R) conditions. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.



Remediation

Install update from vendor's website.

References