It was discovered that pcregrep in PCRE before 8.38 mishandles the -q option for binary files or when used with -c or -l options, incorrectly writing output to stdout, which might allow remote attackers to obtain sensitive information via a crafted file.
Created pcre tracking bugs for this issue: Affects: fedora-all [bug 1287697]
Created glib2 tracking bugs for this issue: Affects: fedora-all [bug 1287699]
Created mingw-pcre tracking bugs for this issue: Affects: fedora-all [bug 1287698] Affects: epel-7 [bug 1287700]
Corresponds to item 28 in http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
Fixed in upstream with: commit 8dda766e48f3bd16df6d8af870e9df4551b6216d Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> Date: Wed Aug 5 17:43:19 2015 +0000 Make pcregrep -q override -l and -c for compatibility with other greps. git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1586 2f5784b3-3f2a-0410-8824- cb99058d5e15
pcre-8.38-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Petr Pisar from comment #5) > Fixed in upstream with: > > commit 8dda766e48f3bd16df6d8af870e9df4551b6216d > Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> > Date: Wed Aug 5 17:43:19 2015 +0000 > > Make pcregrep -q override -l and -c for compatibility with other greps. Upstream commit link: http://vcs.pcre.org/pcre?view=revision&revision=1586
Upstream fix corrects two problems: - When pcregrep is run with both -q (--quiet) and one of -c (--count) and -l (--files-with-matches) it still generates output unlike other grep implementations. As these options are conflicting, this may be considered bug, but not a security issue. - When pcregrep is rung with -q and the file being grepped is binary, it prints a message as: "Binary file filname matches". Reportedly, this is an information leak issue (where leaked information is the name of file being grepped). Leak can only happen in very specific circumstances, and I don't think this is really worth calling security given the minimal impact. This second problem was only introduced in version 8.31, when pcregrep got support for binary files: http://vcs.pcre.org/pcre?view=revision&revision=947 This bug also does not affect various packages that embed PCRE library, as it's not in the library itself, but in the pcregrep tool.