CVE-2015-8390

PCRE before 8.38 mishandles the [: and substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Weakness

The product uses or accesses a resource that has not been initialized.

Affected Software

Name	Vendor	Start Version	End Version
Perl_compatible_regular_expression_library	Pcre	*	8.37 (including)
Pcre3	Ubuntu	esm-infra-legacy/trusty	*
Pcre3	Ubuntu	precise	*
Pcre3	Ubuntu	trusty	*
Pcre3	Ubuntu	trusty/esm	*
Pcre3	Ubuntu	upstream	*
Pcre3	Ubuntu	vivid	*
Pcre3	Ubuntu	vivid/stable-phone-overlay	*
Pcre3	Ubuntu	vivid/ubuntu-core	*
Pcre3	Ubuntu	wily	*

Potential Mitigations

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
http://www.openwall.com/lists/oss-security/2015/11/29/1
http://www.securityfocus.com/bid/82990
https://bto.bluecoat.com/security-advisory/sa128
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
https://security.gentoo.org/glsa/201607-02
https://security.netapp.com/advisory/ntap-20230216-0002/
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
http://www.openwall.com/lists/oss-security/2015/11/29/1
http://www.securityfocus.com/bid/82990
https://bto.bluecoat.com/security-advisory/sa128
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
https://security.gentoo.org/glsa/201607-02
https://security.netapp.com/advisory/ntap-20230216-0002/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2015-8390
CWE	https://cwe.mitre.org/data/definitions/908.html

Use of Uninitialized Resource

Weakness

Affected Software

Potential Mitigations

References