CVE-2016-8859

NameCVE-2016-8859
DescriptionMultiple integer overflows in the TRE library and musl libc allow attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggers an out-of-bounds write.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-687-1
Debian Bugs842169, 842171

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
musl (PTS)buster1.1.21-2fixed
bullseye1.2.2-1fixed
bookworm1.2.3-1fixed
sid, trixie1.2.5-1fixed
tre (PTS)buster, bullseye0.8.0-6fixed
sid, trixie, bookworm0.8.0-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muslsourcejessie1.1.5-2+deb8u1
muslsource(unstable)1.1.15-2842171
tresourcewheezy0.8.0-3+deb7u1DLA-687-1
tresourcejessie0.8.0-4+deb8u1
tresource(unstable)0.8.0-5842169

Notes

https://www.openwall.com/lists/oss-security/2016/10/19/1
other issues may still be present in tre after this: https://github.com/laurikari/tre/issues/37
musl patch: http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7, not released yet

Search for package or bug name: Reporting problems