Re: reproducing the recent PCRE issues
I've tried to reproduce the PCRE3 issues from CVE-2017-7186.
CVE-2017-7244, CVE-2017-7245 and CVE-2017-7246 are similar fuzzing
attacks so this probably applies to those as well.
Thanks for looking at these. I fixed CVE-2017-7186 with upstream's patch
in sid. It's unfortunate that upstream don't seem keen on referring to
CVE numbers, but I think they correspond roughly thus:
CVE-2017-7186 - 2052 https://bugs.exim.org/show_bug.cgi?id=2052
CVE-2017-7244 - 2054 (upstream thinks duplicate of 2052 or 2044
CVE-2017-7245 - 2055
CVE-2017-7246 - 2057
So 2054 is either a duplicate of 2052 which we have fixed or 2044, which
is in pcretest which we don't ship from PCRE3.
The latter 2 upstream describe as "fixed by recent patches", although
it's not entirely clear to me which patches upstream means - pcre_get.c
hasn't changed since r1651 if svn log is to be believed. And there
aren't many plausible-looking commits since 8.40 was released - so I
think upstream thinks these issues apply only to pcretest (which has had
some patches since 8.40, but we don't ship in any case).
*If* that's correct, then we don't need to do any more for sid's pcre3,