CVE-2015-3217
Publication date 13 December 2016
Last updated 24 July 2024
Ubuntu priority
PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pcre3 | ||
| 14.04 LTS trusty |
Not affected
|
|
Notes
seth-arnold
This might be disputed, Tavis says it is likely php misusing the pcre3 API. I suspect allowing attackers to supply regular expressions is always going to be a bad idea.
mdeslaur
upsteam bug says this is an issue with php, and are not going to fix, so marking this as not-affected
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |