It was found that PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression.
Created pcre tracking bugs for this issue:
Affects: fedora-all [bug 1287703]
Created glib2 tracking bugs for this issue:
Affects: fedora-all [bug 1287705]
Created mingw-pcre tracking bugs for this issue:
Affects: fedora-all [bug 1287704]
Affects: epel-7 [bug 1287706]
Corresponds to item 31 in http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
Fixed in upstream with:
Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
Date: Mon Aug 10 14:19:06 2015 +0000
Add missing integer overflow checks.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1589 2f5784b3-3f2a-0410-8824-
pcre-8.38-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Petr Pisar from comment #5)
> commit b35246ac4badf9c2a99b21b214998361babd7afb
> Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
> Date: Mon Aug 10 14:19:06 2015 +0000
> Add missing integer overflow checks.
Upstream commit link:
This integer overflow does not seem to have any security impact, similar to bug 1287646 comment 8.