[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071127025812.GQ8789@outflux.net>
Date: Mon, 26 Nov 2007 18:58:12 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-547-1] PCRE vulnerabilities
===========================================================
Ubuntu Security Notice USN-547-1 November 27, 2007
pcre3 vulnerabilities
CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662,
CVE-2007-4766, CVE-2007-4767, CVE-2007-4768
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libpcre3 7.4-0ubuntu0.6.06.1
libpcrecpp0 7.4-0ubuntu0.6.06.1
Ubuntu 6.10:
libpcre3 7.4-0ubuntu0.6.10.1
libpcrecpp0 7.4-0ubuntu0.6.10.1
Ubuntu 7.04:
libpcre3 7.4-0ubuntu0.7.04.1
libpcrecpp0 7.4-0ubuntu0.7.04.1
Ubuntu 7.10:
libpcre3 7.4-0ubuntu0.7.10.1
libpcrecpp0 7.4-0ubuntu0.7.10.1
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Due to the large internal code changes needed to solve outstanding flaws,
it was not possible to backport all the upstream security fixes to the
earlier released versions. To address this, the pcre3 library has been
updated to the latest stable release (7.4), which includes fixes for
all known security issues. While the new version is ABI compatible,
efforts have been taken to maintain behavioral compatibility with the
earlier versions.
Details follow:
Tavis Ormandy and Will Drewry discovered multiple flaws in the regular
expression handling of PCRE. By tricking a user or service into running
specially crafted expressions via applications linked against libpcre3,
a remote attacker could crash the application, monopolize CPU resources,
or possibly execute arbitrary code with the application's privileges.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.6.06.1.diff.gz
Size/MD5: 79804 404e9d3c5f0f13a5bac7fa99115ad1af
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.6.06.1.dsc
Size/MD5: 619 feb0f718df6ff5f42f1895bcbe6e6c16
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4.orig.tar.gz
Size/MD5: 1106897 de886b22cddc8eaf620a421d3041ee0b
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pgrep_7.4-0ubuntu0.6.06.1_all.deb
Size/MD5: 774 d68b2ef645092b61be193deb856461a0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 254754 2c35de5f62db0cf07fcc4e4483b42657
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 198544 055a4358bcc65f14a2fddb08611dc0e0
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 90168 7aeacbfc73aba347bb511b7f2ebeee8c
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 20352 d3ba33a855fd3a0d9895961060ab1735
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.06.1_i386.deb
Size/MD5: 246392 a7111664cb51a414274b41890a25b630
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.06.1_i386.deb
Size/MD5: 194018 33151d8814634d20f04c4de74d6dcb3d
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.06.1_i386.deb
Size/MD5: 88470 0111206d9aa5bbe0e835ee435ba10d3d
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.06.1_i386.deb
Size/MD5: 18962 2fed65e4956b2869abc8c9ebe13ad9f1
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 258570 877b0f07892df6842ab89465e5dba187
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 199696 88816572a1f48b2ef8ed06f68b8e9a58
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 91244 f7a0b07960c7500b62460ea3be67c0bf
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 21374 57f2b2873049bec20bef050cde9c95d5
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 250178 bb538eda8d6d2c5e7ed9fa1b51758406
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 196584 55c303aa170dd4ed99b784358ff561f2
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 87906 e4058b0e057b0c53df801b72b9d4ed73
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 19578 0218527dd1c7b255c63e441314ccc543
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.6.10.1.diff.gz
Size/MD5: 80152 b83de951145b011f6b75b6d8245ddfa4
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.6.10.1.dsc
Size/MD5: 612 92ec1632360396bafc811a451b22902b
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4.orig.tar.gz
Size/MD5: 1106897 de886b22cddc8eaf620a421d3041ee0b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.10.1_amd64.deb
Size/MD5: 255118 c399294a293b8f331eab5f0c0e483e30
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.10.1_amd64.deb
Size/MD5: 198426 3119610ea2b3f9959e05e116f2f91a52
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.10.1_amd64.deb
Size/MD5: 90958 d2dbb7110d1ce0e25b645fe8a36e0050
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.10.1_amd64.deb
Size/MD5: 20378 d42439c81168ec115ae716be8da7de04
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.10.1_i386.deb
Size/MD5: 250882 1c54985f4186baaf1ad01508ab663d27
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.10.1_i386.deb
Size/MD5: 197528 e684e4dc19bad714f1bdf8f981588025
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.10.1_i386.deb
Size/MD5: 89840 67205ab0d2a704c8cd258bbef2ff2e80
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.10.1_i386.deb
Size/MD5: 19446 aa0b6b900a7c8492b69d7a80f225d0f7
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.10.1_powerpc.deb
Size/MD5: 257610 3b688ce661ccda74848f9c41a4471ea2
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.10.1_powerpc.deb
Size/MD5: 198242 2dac5f37646c7ff62ffc25131e4856ea
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.10.1_powerpc.deb
Size/MD5: 91980 0c57a6930cc2d50c22ab628af10a36f0
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.10.1_powerpc.deb
Size/MD5: 21508 be9eb52bcc5329ec904940f92e6c81df
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.10.1_sparc.deb
Size/MD5: 252264 e26ebabb3058da2f267a0ccef529b6f4
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.10.1_sparc.deb
Size/MD5: 198786 3fa031be365964d34fcd50c5d0dcdd84
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.10.1_sparc.deb
Size/MD5: 88754 6a5bac9777fa5d70697c60f35d6dab3b
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.10.1_sparc.deb
Size/MD5: 20026 73d13963312cee1e0b3335a8bf71e160
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.7.04.1.diff.gz
Size/MD5: 80014 4044f7dfba605b537fef90b7a18539e6
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.7.04.1.dsc
Size/MD5: 696 d406e3d25e9ab03e01d53c793df000bc
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4.orig.tar.gz
Size/MD5: 1106897 de886b22cddc8eaf620a421d3041ee0b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.04.1_amd64.deb
Size/MD5: 255118 9516332360443e3a01614211be382b0e
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.04.1_amd64.deb
Size/MD5: 198870 395b0a95be52882cf30893368eeb6909
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.04.1_amd64.deb
Size/MD5: 91452 e5935ccd7c7ce3e9a4c1ce2001dc36b2
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.04.1_amd64.deb
Size/MD5: 20464 af243aaa50a5501cce0f200e8a0c7750
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.04.1_i386.deb
Size/MD5: 250856 bb7f5405cfc95892c399bc898b8c86c0
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.04.1_i386.deb
Size/MD5: 197928 3c68a3a2e4989c1d74fd85919de4bcc9
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.04.1_i386.deb
Size/MD5: 91100 6ae343ec05a9857b04f92aa724f843ad
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.04.1_i386.deb
Size/MD5: 19534 c0f4ffd9a29c6890122a70fb8267c6c0
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.04.1_powerpc.deb
Size/MD5: 257568 7896530f0615dd4c680d4d03f75ba576
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.04.1_powerpc.deb
Size/MD5: 201742 2f4a75504ff4d87b28576238a8958198
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.04.1_powerpc.deb
Size/MD5: 94300 60068d42904cdb54e6f6a5115592cf3b
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.04.1_powerpc.deb
Size/MD5: 22686 4100af5f9edaf66efe2727ff06bc51d8
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.04.1_sparc.deb
Size/MD5: 252112 d059e10ad36241a1d5a9a508ec735fe0
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.04.1_sparc.deb
Size/MD5: 199448 3c5b576388d7d2844bcc54c348a4101d
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.04.1_sparc.deb
Size/MD5: 89960 abb894a69d08221a90056996187b49f8
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.04.1_sparc.deb
Size/MD5: 20404 3c4d38c9d2221f5b222c996e2d29102c
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.7.10.1.diff.gz
Size/MD5: 10689 6365e91923f762cb60c0f4f28b8d0460
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.7.10.1.dsc
Size/MD5: 696 b090e57fbe0322b2f41bcc71f948fd7f
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4.orig.tar.gz
Size/MD5: 1106897 de886b22cddc8eaf620a421d3041ee0b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.10.1_amd64.deb
Size/MD5: 255484 d898fba576450cd6ab06a7847fdb6649
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.10.1_amd64.deb
Size/MD5: 205306 5b55120ebc3d99bcbe5a6f88ee18cbba
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.10.1_amd64.deb
Size/MD5: 91228 c7c5be0cc3beb749681dbe8bfefc5dd6
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.10.1_amd64.deb
Size/MD5: 20420 f78aba0fafcd102df0514c7db36d77dc
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.10.1_i386.deb
Size/MD5: 251024 e9c2c5baff1728f9935bf391dbee6dca
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.10.1_i386.deb
Size/MD5: 204256 a5e225e3278e383eabcaa2cec8713161
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.10.1_i386.deb
Size/MD5: 90914 0c99fd00bec685fa89f75cb852903b78
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.10.1_i386.deb
Size/MD5: 19482 2032fe8a6dd6a02a4c2c5d9df052c52f
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.10.1_powerpc.deb
Size/MD5: 257600 2eecf3225a0182b2895c5bd10de2df89
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.10.1_powerpc.deb
Size/MD5: 208024 e6ea026dd56cd613e13b5028fb49d998
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.10.1_powerpc.deb
Size/MD5: 94210 0ee006a42190a404c8d59b3cfd4fffec
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.10.1_powerpc.deb
Size/MD5: 22656 34ed68af2083e1516cf508c906504705
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.10.1_sparc.deb
Size/MD5: 252250 d38d41d35e77b30acaa020deb3398c10
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.10.1_sparc.deb
Size/MD5: 205744 b138bf8b4b4f3c89d9f903fbe52f8149
http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.10.1_sparc.deb
Size/MD5: 89800 2088854f7c82f267c8e4c40e481109cf
http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.10.1_sparc.deb
Size/MD5: 20364 c6453310b30d9847336b8c092c510138
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists