oss-sec mailing list archives

Re: CVE-2017-11164 - stack exhaustion in PCRE

From: Matthew Vernon <matthew () debian org>
Date: Wed, 12 Apr 2023 12:07:02 +0100

On 11/04/2023 12:22, Sevan Janiyan wrote:

"PCRE1 has become totally obsolete and is no longer maintained. The
final release was 8.45 (June 2021)"

So just a heads up if you're still linking against PCRE 8.x but software
in question supports PCRE2, perhaps it's time to switch and default to
PCRE2.

I've been trying to push towards getting old-PCRE out of Debian; you cantrack the outstanding bugs online[0], and there's similar for Ubuntu[1].

Once the next Debian release "bookworm" is out, I'm hoping to be able tomake the outstanding bugs release critical, moving towards not shippingthe older pcre (called pcre3 in Debian for Historical Reasons) in thenext release...


Regards,

Matthew
[PCRE maintainer for Debian]

[0]https://udd.debian.org/bugs/?release=any&merged=ign&fnewerval=7&flastmodval=7&fusertag=only&fusertagtag=obsolete-pcre3&fusertaguser=matthew-pcredep%40debian.org&allbugs=1&sortby=id&sorto=asc&format=html#results

[1] https://bugs.launchpad.net/ubuntu/+source/pcre3/+bug/1792544

Current thread:

CVE-2017-11164 - stack exhaustion in PCRE Sevan Janiyan (Apr 11)
- Re: CVE-2017-11164 - stack exhaustion in PCRE Matthew Vernon (Apr 12)