FreeBSD : pcre -- heap overflow vulnerability (6900e6f1-4a79-11e5-9ad8-14dae9d210b8)

High Nessus Plugin ID 85608


The remote FreeBSD host is missing a security-related update.


Guanxing Wen reports :

PCRE library is prone to a vulnerability which leads to Heap Overflow.
During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compile_regex(). The Heap Overflow vulnerability is caused by the following regular expression.

/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf )|s(?'R')))/

A dry run of this particular regular expression with pcretest will reports 'double free or corruption (!prev)'. But it is actually a heap overflow problem. The overflow only affects pcre 8.x branch, pcre2 branch is not affected.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 85608

File Name: freebsd_pkg_6900e6f14a7911e59ad814dae9d210b8.nasl

Version: $Revision: 2.2 $

Type: local

Published: 2015/08/25

Modified: 2015/09/14

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:pcre, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2015/08/24

Vulnerability Publication Date: 2015/08/21