It was found that PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which are incorrectly compiled and could cause reading from uninitialized memory or an incorrect error diagnosis, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression.
Created pcre tracking bugs for this issue:
Affects: fedora-all [bug 1287667]
Created glib2 tracking bugs for this issue:
Affects: fedora-all [bug 1287669]
Created mingw-pcre tracking bugs for this issue:
Affects: fedora-all [bug 1287668]
Affects: epel-7 [bug 1287670]
Corresponds to item 22 in http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
Fixed in upstream with:
Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
Date: Mon Jul 20 16:27:31 2015 +0000
Fix bug for classes containing \\ sequences.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1578 2f5784b3-3f2a-0410-8824-
pcre-8.38-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Petr Pisar from comment #5)
> Fixed in upstream with:
> commit 084a8fe109a94f6d146c6a7a0e397cc3d40c6b67
> Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
> Date: Mon Jul 20 16:27:31 2015 +0000
> Fix bug for classes containing \\ sequences.
Upstream commit link:
This is a bug, but it does not seem to have any practical security impact.