Hi,
I've tried to reproduce the PCRE3 issues from CVE-2017-7186. CVE-2017-7244, CVE-2017-7245 and CVE-2017-7246 are similar fuzzing attacks so this probably applies to those as well.
Thanks for looking at these. I fixed CVE-2017-7186 with upstream's patch in sid. It's unfortunate that upstream don't seem keen on referring to CVE numbers, but I think they correspond roughly thus:
CVE-2017-7186 - 2052 https://bugs.exim.org/show_bug.cgi?id=2052 CVE-2017-7244 - 2054 (upstream thinks duplicate of 2052 or 2044 CVE-2017-7245 - 2055 CVE-2017-7246 - 2057So 2054 is either a duplicate of 2052 which we have fixed or 2044, which is in pcretest which we don't ship from PCRE3.
The latter 2 upstream describe as "fixed by recent patches", although it's not entirely clear to me which patches upstream means - pcre_get.c hasn't changed since r1651 if svn log is to be believed. And there aren't many plausible-looking commits since 8.40 was released - so I think upstream thinks these issues apply only to pcretest (which has had some patches since 8.40, but we don't ship in any case).
*If* that's correct, then we don't need to do any more for sid's pcre3, I think.
Regards, Matthew