Red Hat Bugzilla – Bug 1287695
CVE-2015-8393 pcre: pcregrep -q is not always quiet (8.38/28)
Last modified: 2017-08-02 23:08:44 EDT
It was discovered that pcregrep in PCRE before 8.38 mishandles the -q option for binary files or when used with -c or -l options, incorrectly writing output to stdout, which might allow remote attackers to obtain sensitive information via a crafted file.
Created pcre tracking bugs for this issue:
Affects: fedora-all [bug 1287697]
Created glib2 tracking bugs for this issue:
Affects: fedora-all [bug 1287699]
Created mingw-pcre tracking bugs for this issue:
Affects: fedora-all [bug 1287698]
Affects: epel-7 [bug 1287700]
Corresponds to item 28 in http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
Fixed in upstream with:
Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
Date: Wed Aug 5 17:43:19 2015 +0000
Make pcregrep -q override -l and -c for compatibility with other greps.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1586 2f5784b3-3f2a-0410-8824-
pcre-8.38-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Petr Pisar from comment #5)
> Fixed in upstream with:
> commit 8dda766e48f3bd16df6d8af870e9df4551b6216d
> Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
> Date: Wed Aug 5 17:43:19 2015 +0000
> Make pcregrep -q override -l and -c for compatibility with other greps.
Upstream commit link:
Upstream fix corrects two problems:
- When pcregrep is run with both -q (--quiet) and one of -c (--count) and -l (--files-with-matches) it still generates output unlike other grep implementations. As these options are conflicting, this may be considered bug, but not a security issue.
- When pcregrep is rung with -q and the file being grepped is binary, it prints a message as: "Binary file filname matches". Reportedly, this is an information leak issue (where leaked information is the name of file being grepped). Leak can only happen in very specific circumstances, and I don't think this is really worth calling security given the minimal impact.
This second problem was only introduced in version 8.31, when pcregrep got support for binary files:
This bug also does not affect various packages that embed PCRE library, as it's not in the library itself, but in the pcregrep tool.