20995635 Perl TK needs to be upgraded to work with Perl 5.20
20994112 Perl XML::Parser needs to work with Perl 5.20
20989929 Perl net-ssleay needs to be fixed so it builds with Perl 5.20
20989909 Perl libxml needs to be fixed so it builds with Perl 5.20
20989894 Perl DBI - needs to be fixed so it builds with Perl 5.20
20989877 AUTHEN-PAM needs to be fixed so it builds with Perl 5.20
21195142 OpenSCAP's Makefile needs to be updated to work with Perl 5.20
21216887 Dependencies and references to Perl 5.16 need to be replaced with Perl 5.20
Patch from upstream:
http://vcs.pcre.org/pcre?view=revision&revision=1571
to fix CVE-2015-5073 for this upstream bug
https://bugs.exim.org/show_bug.cgi?id=1651
This patch may be removed when pcre is upgraded from version 8.37
--- pcre-8.37-orig/ChangeLog 2015-06-29 09:12:15.694261234 -0700
+++ pcre-8.37/ChangeLog 2015-06-29 09:29:45.739958088 -0700
@@ -27,6 +27,10 @@ Changes since Version 8.37
an empty string was repeated, it was not identified as matching an empty
string itself. For example: /^(?:(?(1)x|)+)+$()/.
+6. A pattern with an unmatched closing parenthesis that contained a backward
+ assertion which itself contained a forward reference caused buffer
+ overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/.
+
Version 8.37 28-April-2015
--------------------------
--- pcre-8.37-orig/pcre_compile.c 2015-06-29 09:12:15.695805136 -0700
+++ pcre-8.37/pcre_compile.c 2015-06-29 09:17:13.527304409 -0700
@@ -9406,7 +9406,7 @@ OP_RECURSE that are not fixed length get
exceptional ones forgo this. We scan the pattern to check that they are fixed
length, and set their lengths. */
-if (cd->check_lookbehind)
+if (errorcode == 0 && cd->check_lookbehind)
{
pcre_uchar *cc = (pcre_uchar *)codestart;
--- pcre-8.37-orig/testdata/testinput2 2015-06-29 09:12:15.696414562 -0700
+++ pcre-8.37/testdata/testinput2 2015-06-29 09:24:55.146760633 -0700
@@ -4170,4 +4170,6 @@ backtracking verbs. --/
/^(?:(?(1)x|)+)+$()/BZ
+/(?=di(?<=(?1))|(?=(.))))/
+
/-- End of testinput2 --/
--- pcre-8.37-orig/testdata/testoutput2 2015-06-29 09:12:15.698016242 -0700
+++ pcre-8.37/testdata/testoutput2 2015-06-29 09:26:11.171270088 -0700
@@ -14474,4 +14474,7 @@ Failed: reference to non-existent subpat
End
------------------------------------------------------------------
+/(?=di(?<=(?1))|(?=(.))))/
+Failed: unmatched parentheses at offset 23
+
/-- End of testinput2 --/