lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <877ic04idj.fsf@mid.deneb.enyo.de>
Date: Sat, 05 Jul 2008 14:37:12 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1602-1] New pcre3 packages fix arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1602-1                  security@...ian.org
http://www.debian.org/security/                           Florian Weimer
July 05, 2008                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : pcre3
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-2371

Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular
Expression library, may encounter a heap overflow condition when
compiling certain regular expressions involving in-pattern options and
branches, potentially leading to arbitrary code execution. 

For the stable distribution (etch), this problem has been fixed in
version 6.7+7.4-4.

For the unstable distribution (sid), this problem has been fixed soon.

We recommend that you upgrade your pcre3 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4-4.dsc
    Size/MD5 checksum:      888 9ef88cd7ab592b3799211018f8d20f63
  http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4-4.diff.gz
    Size/MD5 checksum:    83574 2d9686b5b3a5480aa528bd89cdea12a6
  http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4.orig.tar.gz
    Size/MD5 checksum:  1106897 de886b22cddc8eaf620a421d3041ee0b

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_alpha.deb
    Size/MD5 checksum:    21038 72545720bee988d70381cf56ac08ab3e
  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_alpha.deb
    Size/MD5 checksum:    91302 039876d52014e88686119445734f6ec7
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_alpha.deb
    Size/MD5 checksum:   264154 19f60bc08e3f2a5d8ca305851f44ef55
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_alpha.deb
    Size/MD5 checksum:   209168 f19f07f81f4b9259c7b061faf7d9fc7c

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_amd64.deb
    Size/MD5 checksum:    89984 c92634b92f00d7f41991d58d3ad690bc
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_amd64.deb
    Size/MD5 checksum:   198552 2760ab9ccf2cdf8b7fec89e4068feba7
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_amd64.deb
    Size/MD5 checksum:   250032 68f3c4360bc41358bb97f546bcb0e3ce
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_amd64.deb
    Size/MD5 checksum:    20150 9bed90914b31ea7f11810c3b99d5b5c6

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_arm.deb
    Size/MD5 checksum:    88966 41f8ee2780754174274009055c952079
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_arm.deb
    Size/MD5 checksum:    19920 f10b8d7a5c6366136813af67d0a8b7ff
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_arm.deb
    Size/MD5 checksum:   243970 8becd101006adf3dfca88607c07d3086
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_arm.deb
    Size/MD5 checksum:   198322 b2c55ac5d7a2be62c5b5e8cb6d0c48f2

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_hppa.deb
    Size/MD5 checksum:    92266 b9236279f24acead3acfed524d87d1bd
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_hppa.deb
    Size/MD5 checksum:   255722 f0a3084a3683ece8f0c10ffd937ef252
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_hppa.deb
    Size/MD5 checksum:   202446 5e552d19b502810cf640eb8c11776736
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_hppa.deb
    Size/MD5 checksum:    20726 aa317ebe8c30e18966b3786acc1398b9

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_i386.deb
    Size/MD5 checksum:    89862 60a49383c76120d08e4d300564b659db
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_i386.deb
    Size/MD5 checksum:   246934 b20ff56ba4289860f1d09a75abfa3505
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_i386.deb
    Size/MD5 checksum:    19348 dcded2ff2a56d461e522ac11647ab4f2
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_i386.deb
    Size/MD5 checksum:   196894 30a9803ec2c737702228c88b121d1544

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_ia64.deb
    Size/MD5 checksum:   230688 264ad5d5665e602b2f692b899fd0a5e9
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_ia64.deb
    Size/MD5 checksum:    25658 538af9aabca0427844e955f028c050e4
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_ia64.deb
    Size/MD5 checksum:   280674 e4d8e19abeed7202102e94597c4798e8
  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_ia64.deb
    Size/MD5 checksum:    93858 c6cf88e6acf726bd4179658e0f2bbe9e

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_mips.deb
    Size/MD5 checksum:   198430 ac574108ba4f6ae4b70179b7d6b5d7c9
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_mips.deb
    Size/MD5 checksum:   253526 77b402e25c797abf1f7557e106326667
  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_mips.deb
    Size/MD5 checksum:    90538 e1671c5b76cca0256a8d41b8f9e419e3
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_mips.deb
    Size/MD5 checksum:    20424 766ce624fa24e42d04b53511e1cbed21

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_mipsel.deb
    Size/MD5 checksum:    90520 2dc1625becce40f479e50fdcf075571b
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_mipsel.deb
    Size/MD5 checksum:   252396 52692425252b9c4263fb2899918d0966
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_mipsel.deb
    Size/MD5 checksum:   197616 f228905aa01a3ae35801dc9b9b12c0ef
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_mipsel.deb
    Size/MD5 checksum:    20454 e991967c20b95fe40b0f45acd9eafa1d

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_powerpc.deb
    Size/MD5 checksum:   197676 2debc2e40a4b17f562f82e5304ce8f4a
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_powerpc.deb
    Size/MD5 checksum:   253048 e442f8398410b41db288e77c36b4cd5f
  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_powerpc.deb
    Size/MD5 checksum:    92152 bd22696efa2ad001a602c73d614f046c
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_powerpc.deb
    Size/MD5 checksum:    21270 88d9a6a11ccb43ad9d7e2f6418875619

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_s390.deb
    Size/MD5 checksum:   200044 6476b48137e32a76c3c85b09a901c0bc
  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_s390.deb
    Size/MD5 checksum:    90586 de5f46464693e513d4045c0e037585ab
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_s390.deb
    Size/MD5 checksum:    20108 cdd1618521e5e64d04e5e26a49803b4f
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_s390.deb
    Size/MD5 checksum:   248498 4de3715c9a55f4aa0ba33fcde49ee7cd

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-4_sparc.deb
    Size/MD5 checksum:   197656 06f3298311fba7fb8bb4a072372c79b4
  http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-4_sparc.deb
    Size/MD5 checksum:    19420 a4c54f7f457816b8e1f087055e959e23
  http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-4_sparc.deb
    Size/MD5 checksum:   247278 7c41012b79be5869fcf03f6c71be98b0
  http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-4_sparc.deb
    Size/MD5 checksum:    88798 5905a7ee0d9a17c564ef929655fd8cd7


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSG9qy797/wQC1SS+AQLgTAf/YR4rAg05rv0thz4uNk7G5kXEX1lvYB21
ZqCENxEqQGSQIu9Zm3ciyUwtzqeVljzb2crPN5uZmLtQvxYCjQtsHYINc0tEyNhD
vsnBKn1Qb8uN+mgMNRnhWE59cwGJJB9r+f6ni366lsJYORcuGwRsy5zH/wA1DWGt
oTun+1d/0CQU6yGGnqrIuHKrCO8XYPAShAyJUdXyuh/L2jpwCOjIB3x9j1AoDk5C
8z6ZssI1BtOy3SdPxALlJpNP7gi54DrvBnskieJKVxcZv7xe7p7GP8IJI3oK7zNe
I8Ne8xxYrhGtonZEM9txhfuxHucw1LLsNMqTJturHxA+GTf4y9pnJw==
=ifkq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ