Bug 1030066 (CVE-2017-7186)

Summary: VUL-0: CVE-2017-7186: pcre,pcre2: DoS by triggering an invalid Unicode property lookup
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, gabriele.sonnu, junwei.chen, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/182023/
Whiteboard: CVSSv2:SUSE:CVE-2017-7186:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 2 Andreas Stieger 2017-05-02 13:27:09 UTC
*** Bug 1037164 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Stieger 2017-05-02 13:27:32 UTC
Also affects pcre2
Comment 4 Stephan Kulow 2017-05-24 17:55:06 UTC
Trigger a version update whenever you feel like it. I communicated clearly in the past that I can't fix pcre issues
Comment 5 Andreas Stieger 2017-09-11 19:08:06 UTC
Fixed in pcre2 10.30.
Comment 6 Bernhard Wiedemann 2017-09-11 20:00:30 UTC
This is an autogenerated message for OBS integration:
This bug (1030066) was mentioned in
https://build.opensuse.org/request/show/523391 Factory / pcre2
Comment 7 Swamp Workflow Management 2018-12-03 18:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1030066) was mentioned in
https://build.opensuse.org/request/show/653587 Backports:SLE-12 / pcre2
Comment 9 junwei chen 2021-10-14 08:30:05 UTC
May I ask? Is the SLES12 SP5 affected by this CVE?
Comment 10 Swamp Workflow Management 2021-11-10 20:30:03 UTC
SUSE-SU-2021:3652-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1025709,1030066,1030803,1030805,1030807,1172973,1172974
CVE References: CVE-2017-6004,CVE-2017-7186,CVE-2017-7244,CVE-2017-7245,CVE-2017-7246,CVE-2019-20838,CVE-2020-14155
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE OpenStack Cloud Crowbar 8 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE OpenStack Cloud 9 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE OpenStack Cloud 8 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    pcre-8.45-8.7.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP5 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise High Availability 12-SP5 (src):    pcre-8.45-8.7.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    pcre-8.45-8.7.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    pcre-8.45-8.7.1
HPE Helion Openstack 8 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Gabriele Sonnu 2022-04-06 14:02:09 UTC
All done.