[gentoo-announce] [ GLSA 200803-24 ] PCRE: Buffer overflow - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200803-24 ] PCRE: Buffer overflow
Date:	Tue, 18 Mar 2008 00:37:09
Message-Id:	`47DF0D94.3030708@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                        GLSA 200803-24:02

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: High

11

     Title: PCRE: Buffer overflow

12

      Date: March 17, 2008

13

   Updated: March 17, 2008

14

      Bugs: #209067, #209293

15

        ID: 200803-24:02

16

17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

18

19

Synopsis

20

========

21

22

A buffer overflow vulnerability has been discovered in PCRE, allowing

23

for the execution of arbitrary code and Denial of Service.

24

25

Background

26

==========

27

28

PCRE is a Perl-compatible regular expression library. GLib includes a

29

copy of PCRE.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package           /  Vulnerable  /                     Unaffected

36

    -------------------------------------------------------------------

37

  1  dev-libs/libpcre      < 7.6-r1                          >= 7.6-r1

38

  2  dev-libs/glib         < 2.14.6                          >= 2.14.6

39

                                                              < 2.14.0

40

    -------------------------------------------------------------------

41

     2 affected packages on all of their supported architectures.

42

    -------------------------------------------------------------------

43

44

Description

45

===========

46

47

PCRE contains a buffer overflow vulnerability when processing a

48

character class containing a very large number of characters with

49

codepoints greater than 255.

50

51

Impact

52

======

53

54

A remote attacker could exploit this vulnerability by sending a

55

specially crafted regular expression to an application making use of

56

the PCRE library, which could possibly lead to the execution of

57

arbitrary code or a Denial of Service.

58

59

Workaround

60

==========

61

62

There is no known workaround at this time.

63

64

Resolution

65

==========

66

67

All PCRE users should upgrade to the latest version:

68

69

    # emerge --sync

70

    # emerge --ask --oneshot --verbose ">=dev-libs/libpcre-7.6-r1"

71

72

All GLib users should upgrade to the latest version:

73

74

    # emerge --sync

75

    # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.14.6"

76

77

References

78

==========

79

80

  [ 1 ] CVE-2008-0674

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674

82

83

Availability

84

============

85

86

This GLSA and any updates to it are available for viewing at

87

the Gentoo Security Website:

88

89

  http://security.gentoo.org/glsa/glsa-200803-24.xml

90

91

Concerns?

92

=========

93

94

Security is a primary focus of Gentoo Linux and ensuring the

95

confidentiality and security of our users machines is of utmost

96

importance to us. Any security concerns should be addressed to

97

security@g.o or alternatively, you may file a bug at

98

http://bugs.gentoo.org.

99

100

License

101

=======

102

103

Copyright 2008 Gentoo Foundation, Inc; referenced text

104

belongs to its owner(s).

105

106

The contents of this document are licensed under the

107

Creative Commons - Attribution / Share Alike license.

108

109

http://creativecommons.org/licenses/by-sa/2.5

110

-----BEGIN PGP SIGNATURE-----

111

Version: GnuPG v2.0.7 (GNU/Linux)

112

113

iD8DBQFH3w2UD/IBIJzjypERAkEBAJ90l88QfhQbz2cSxhOZsZNRmXHjDwCfT4tA

114

zJ4fapDOrpd8dukYZkMl/fM=

115

=D3Hn

116

-----END PGP SIGNATURE-----

117

--

118

gentoo-announce@l.g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200803-24:02
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: High
11	Title: PCRE: Buffer overflow
12	Date: March 17, 2008
13	Updated: March 17, 2008
14	Bugs: #209067, #209293
15	ID: 200803-24:02
16
17	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
19	Synopsis
20	========
21
22	A buffer overflow vulnerability has been discovered in PCRE, allowing
23	for the execution of arbitrary code and Denial of Service.
24
25	Background
26	==========
27
28	PCRE is a Perl-compatible regular expression library. GLib includes a
29	copy of PCRE.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 dev-libs/libpcre < 7.6-r1 >= 7.6-r1
38	2 dev-libs/glib < 2.14.6 >= 2.14.6
39	< 2.14.0
40	-------------------------------------------------------------------
41	2 affected packages on all of their supported architectures.
42	-------------------------------------------------------------------
43
44	Description
45	===========
46
47	PCRE contains a buffer overflow vulnerability when processing a
48	character class containing a very large number of characters with
49	codepoints greater than 255.
50
51	Impact
52	======
53
54	A remote attacker could exploit this vulnerability by sending a
55	specially crafted regular expression to an application making use of
56	the PCRE library, which could possibly lead to the execution of
57	arbitrary code or a Denial of Service.
58
59	Workaround
60	==========
61
62	There is no known workaround at this time.
63
64	Resolution
65	==========
66
67	All PCRE users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=dev-libs/libpcre-7.6-r1"
71
72	All GLib users should upgrade to the latest version:
73
74	# emerge --sync
75	# emerge --ask --oneshot --verbose ">=dev-libs/glib-2.14.6"
76
77	References
78	==========
79
80	[ 1 ] CVE-2008-0674
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674
82
83	Availability
84	============
85
86	This GLSA and any updates to it are available for viewing at
87	the Gentoo Security Website:
88
89	http://security.gentoo.org/glsa/glsa-200803-24.xml
90
91	Concerns?
92	=========
93
94	Security is a primary focus of Gentoo Linux and ensuring the
95	confidentiality and security of our users machines is of utmost
96	importance to us. Any security concerns should be addressed to
97	security@g.o or alternatively, you may file a bug at
98	http://bugs.gentoo.org.
99
100	License
101	=======
102
103	Copyright 2008 Gentoo Foundation, Inc; referenced text
104	belongs to its owner(s).
105
106	The contents of this document are licensed under the
107	Creative Commons - Attribution / Share Alike license.
108
109	http://creativecommons.org/licenses/by-sa/2.5
110	-----BEGIN PGP SIGNATURE-----
111	Version: GnuPG v2.0.7 (GNU/Linux)
112
113	iD8DBQFH3w2UD/IBIJzjypERAkEBAJ90l88QfhQbz2cSxhOZsZNRmXHjDwCfT4tA
114	zJ4fapDOrpd8dukYZkMl/fM=
115	=D3Hn
116	-----END PGP SIGNATURE-----
117	--
118	gentoo-announce@l.g.o mailing list

Gentoo Archives: gentoo-announce