Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200711-30 ] PCRE: Multiple vulnerabilities
Date: Tue, 20 Nov 2007 22:00:22
Message-Id: 4743554E.6060406@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200711-30
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: PCRE: Multiple vulnerabilities
12 Date: November 20, 2007
13 Bugs: #198198
14 ID: 200711-30
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 PCRE is vulnerable to multiple buffer overflow and memory corruption
22 vulnerabilities, possibly leading to the execution of arbitrary code.
23
24 Background
25 ==========
26
27 PCRE is a library providing functions for Perl-compatible regular
28 expressions.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 dev-libs/libpcre < 7.3-r1 >= 7.3-r1
37
38 Description
39 ===========
40
41 Tavis Ormandy (Google Security) discovered multiple vulnerabilities in
42 PCRE. He reported an error when processing "\Q\E" sequences with
43 unmatched "\E" codes that can lead to the compiled bytecode being
44 corrupted (CVE-2007-1659). PCRE does not properly calculate sizes for
45 unspecified "multiple forms of character class", which triggers a
46 buffer overflow (CVE-2007-1660). Further improper calculations of
47 memory boundaries were reported when matching certain input bytes
48 against regex patterns in non UTF-8 mode (CVE-2007-1661) and when
49 searching for unmatched brackets or parentheses (CVE-2007-1662).
50 Multiple integer overflows when processing escape sequences may lead to
51 invalid memory read operations or potentially cause heap-based buffer
52 overflows (CVE-2007-4766). PCRE does not properly handle "\P" and
53 "\P{x}" sequences which can lead to heap-based buffer overflows or
54 trigger the execution of infinite loops (CVE-2007-4767), PCRE is also
55 prone to an error when optimizing character classes containing a
56 singleton UTF-8 sequence which might lead to a heap-based buffer
57 overflow (CVE-2007-4768).
58
59 Chris Evans also reported multiple integer overflow vulnerabilities in
60 PCRE when processing a large number of named subpatterns ("name_count")
61 or long subpattern names ("max_name_size") (CVE-2006-7227), and via
62 large "min", "max", or "duplength" values (CVE-2006-7228) both possibly
63 leading to buffer overflows. Another vulnerability was reported when
64 compiling patterns where the "-x" or "-i" UTF-8 options change within
65 the pattern, which might lead to improper memory calculations
66 (CVE-2006-7230).
67
68 Impact
69 ======
70
71 An attacker could exploit these vulnerabilities by sending specially
72 crafted regular expressions to applications making use of the PCRE
73 library, which could possibly lead to the execution of arbitrary code,
74 a Denial of Service or the disclosure of sensitive information.
75
76 Workaround
77 ==========
78
79 There is no known workaround at this time.
80
81 Resolution
82 ==========
83
84 All PCRE users should upgrade to the latest version:
85
86 # emerge --sync
87 # emerge --ask --oneshot --verbose ">=dev-libs/libpcre-7.3-r1"
88
89 References
90 ==========
91
92 [ 1 ] CVE-2006-7227
93 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7227
94 [ 2 ] CVE-2006-7228
95 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228
96 [ 3 ] CVE-2006-7230
97 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7230
98 [ 4 ] CVE-2007-1659
99 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1659
100 [ 5 ] CVE-2007-1660
101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660
102 [ 6 ] CVE-2007-1661
103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1661
104 [ 7 ] CVE-2007-1662
105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1662
106 [ 8 ] CVE-2007-4766
107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4766
108 [ 9 ] CVE-2007-4767
109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4767
110 [ 10 ] CVE-2007-4768
111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4768
112
113 Availability
114 ============
115
116 This GLSA and any updates to it are available for viewing at
117 the Gentoo Security Website:
118
119 http://security.gentoo.org/glsa/glsa-200711-30.xml
120
121 Concerns?
122 =========
123
124 Security is a primary focus of Gentoo Linux and ensuring the
125 confidentiality and security of our users machines is of utmost
126 importance to us. Any security concerns should be addressed to
127 security@g.o or alternatively, you may file a bug at
128 http://bugs.gentoo.org.
129
130 License
131 =======
132
133 Copyright 2007 Gentoo Foundation, Inc; referenced text
134 belongs to its owner(s).
135
136 The contents of this document are licensed under the
137 Creative Commons - Attribution / Share Alike license.
138
139 http://creativecommons.org/licenses/by-sa/2.5
140 -----BEGIN PGP SIGNATURE-----
141 Version: GnuPG v1.4.7 (GNU/Linux)
142 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
143
144 iD8DBQFHQ1VNuhJ+ozIKI5gRArV7AJ0XnRsp7sCapeuBni8l+0dSCBSnoQCfcagD
145 23VxdHrTAY0sl0lLSXLLwHU=
146 =srdq
147 -----END PGP SIGNATURE-----
148 --
149 gentoo-announce@g.o mailing list
Report Message
Find on MARC Find on Google Groups