Arch Linux Security Advisory ASA-201603-18 ========================================== Severity: High Date : 2016-03-13 CVE-ID : CVE-2016-1283 Package : pcre Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package pcre before version 8.38-3 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 8.38-3. # pacman -Syu "pcre>=8.38-3" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compile_regex. Exploits with advanced Heap Fengshui techniques may allow an attacker to execute arbitrary code in the context of the user running the affected application. Impact ====== A remote attacker is able to execute arbitrary code by crafting a special regular expression that triggers a heap buffer overflow. References ========== https://access.redhat.com/security/cve/CVE-2016-1283 https://bugs.exim.org/show_bug.cgi?id=1767 https://bugs.archlinux.org/48484