It was discovered that PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis that contained a backward assertion which itself contained a forward reference, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression.
Created pcre tracking bugs for this issue:
Affects: fedora-all [bug 1287655]
Created glib2 tracking bugs for this issue:
Affects: fedora-all [bug 1287657]
Created mingw-pcre tracking bugs for this issue:
Affects: fedora-all [bug 1287656]
Affects: epel-7 [bug 1287658]
Corresponds to item 18 in http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
Fixed in upstream with:
Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
Date: Tue Jun 23 16:34:53 2015 +0000
Fix buffer overflow for forward reference within backward assertion with exc
closing parenthesis. Bugzilla 1651.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-
Is this CVE a duplicate of CVE-2015-5073?
I think it is.
*** This bug has been marked as a duplicate of bug 1237223 ***