lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071127025812.GQ8789@outflux.net>
Date: Mon, 26 Nov 2007 18:58:12 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-547-1] PCRE vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-547-1          November 27, 2007
pcre3 vulnerabilities
CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662,
CVE-2007-4766, CVE-2007-4767, CVE-2007-4768
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libpcre3                        7.4-0ubuntu0.6.06.1
  libpcrecpp0                     7.4-0ubuntu0.6.06.1

Ubuntu 6.10:
  libpcre3                        7.4-0ubuntu0.6.10.1
  libpcrecpp0                     7.4-0ubuntu0.6.10.1

Ubuntu 7.04:
  libpcre3                        7.4-0ubuntu0.7.04.1
  libpcrecpp0                     7.4-0ubuntu0.7.04.1

Ubuntu 7.10:
  libpcre3                        7.4-0ubuntu0.7.10.1
  libpcrecpp0                     7.4-0ubuntu0.7.10.1

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

Due to the large internal code changes needed to solve outstanding flaws,
it was not possible to backport all the upstream security fixes to the
earlier released versions.  To address this, the pcre3 library has been
updated to the latest stable release (7.4), which includes fixes for
all known security issues.  While the new version is ABI compatible,
efforts have been taken to maintain behavioral compatibility with the
earlier versions.

Details follow:

Tavis Ormandy and Will Drewry discovered multiple flaws in the regular
expression handling of PCRE.  By tricking a user or service into running
specially crafted expressions via applications linked against libpcre3,
a remote attacker could crash the application, monopolize CPU resources,
or possibly execute arbitrary code with the application's privileges.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.6.06.1.diff.gz
      Size/MD5:    79804 404e9d3c5f0f13a5bac7fa99115ad1af
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.6.06.1.dsc
      Size/MD5:      619 feb0f718df6ff5f42f1895bcbe6e6c16
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4.orig.tar.gz
      Size/MD5:  1106897 de886b22cddc8eaf620a421d3041ee0b

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pgrep_7.4-0ubuntu0.6.06.1_all.deb
      Size/MD5:      774 d68b2ef645092b61be193deb856461a0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.06.1_amd64.deb
      Size/MD5:   254754 2c35de5f62db0cf07fcc4e4483b42657
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.06.1_amd64.deb
      Size/MD5:   198544 055a4358bcc65f14a2fddb08611dc0e0
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.06.1_amd64.deb
      Size/MD5:    90168 7aeacbfc73aba347bb511b7f2ebeee8c
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.06.1_amd64.deb
      Size/MD5:    20352 d3ba33a855fd3a0d9895961060ab1735

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.06.1_i386.deb
      Size/MD5:   246392 a7111664cb51a414274b41890a25b630
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.06.1_i386.deb
      Size/MD5:   194018 33151d8814634d20f04c4de74d6dcb3d
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.06.1_i386.deb
      Size/MD5:    88470 0111206d9aa5bbe0e835ee435ba10d3d
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.06.1_i386.deb
      Size/MD5:    18962 2fed65e4956b2869abc8c9ebe13ad9f1

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.06.1_powerpc.deb
      Size/MD5:   258570 877b0f07892df6842ab89465e5dba187
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.06.1_powerpc.deb
      Size/MD5:   199696 88816572a1f48b2ef8ed06f68b8e9a58
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.06.1_powerpc.deb
      Size/MD5:    91244 f7a0b07960c7500b62460ea3be67c0bf
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.06.1_powerpc.deb
      Size/MD5:    21374 57f2b2873049bec20bef050cde9c95d5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.06.1_sparc.deb
      Size/MD5:   250178 bb538eda8d6d2c5e7ed9fa1b51758406
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.06.1_sparc.deb
      Size/MD5:   196584 55c303aa170dd4ed99b784358ff561f2
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.06.1_sparc.deb
      Size/MD5:    87906 e4058b0e057b0c53df801b72b9d4ed73
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.06.1_sparc.deb
      Size/MD5:    19578 0218527dd1c7b255c63e441314ccc543

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.6.10.1.diff.gz
      Size/MD5:    80152 b83de951145b011f6b75b6d8245ddfa4
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.6.10.1.dsc
      Size/MD5:      612 92ec1632360396bafc811a451b22902b
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4.orig.tar.gz
      Size/MD5:  1106897 de886b22cddc8eaf620a421d3041ee0b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.10.1_amd64.deb
      Size/MD5:   255118 c399294a293b8f331eab5f0c0e483e30
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.10.1_amd64.deb
      Size/MD5:   198426 3119610ea2b3f9959e05e116f2f91a52
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.10.1_amd64.deb
      Size/MD5:    90958 d2dbb7110d1ce0e25b645fe8a36e0050
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.10.1_amd64.deb
      Size/MD5:    20378 d42439c81168ec115ae716be8da7de04

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.10.1_i386.deb
      Size/MD5:   250882 1c54985f4186baaf1ad01508ab663d27
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.10.1_i386.deb
      Size/MD5:   197528 e684e4dc19bad714f1bdf8f981588025
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.10.1_i386.deb
      Size/MD5:    89840 67205ab0d2a704c8cd258bbef2ff2e80
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.10.1_i386.deb
      Size/MD5:    19446 aa0b6b900a7c8492b69d7a80f225d0f7

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.10.1_powerpc.deb
      Size/MD5:   257610 3b688ce661ccda74848f9c41a4471ea2
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.10.1_powerpc.deb
      Size/MD5:   198242 2dac5f37646c7ff62ffc25131e4856ea
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.10.1_powerpc.deb
      Size/MD5:    91980 0c57a6930cc2d50c22ab628af10a36f0
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.10.1_powerpc.deb
      Size/MD5:    21508 be9eb52bcc5329ec904940f92e6c81df

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.6.10.1_sparc.deb
      Size/MD5:   252264 e26ebabb3058da2f267a0ccef529b6f4
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.6.10.1_sparc.deb
      Size/MD5:   198786 3fa031be365964d34fcd50c5d0dcdd84
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.6.10.1_sparc.deb
      Size/MD5:    88754 6a5bac9777fa5d70697c60f35d6dab3b
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.6.10.1_sparc.deb
      Size/MD5:    20026 73d13963312cee1e0b3335a8bf71e160

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.7.04.1.diff.gz
      Size/MD5:    80014 4044f7dfba605b537fef90b7a18539e6
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.7.04.1.dsc
      Size/MD5:      696 d406e3d25e9ab03e01d53c793df000bc
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4.orig.tar.gz
      Size/MD5:  1106897 de886b22cddc8eaf620a421d3041ee0b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.04.1_amd64.deb
      Size/MD5:   255118 9516332360443e3a01614211be382b0e
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.04.1_amd64.deb
      Size/MD5:   198870 395b0a95be52882cf30893368eeb6909
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.04.1_amd64.deb
      Size/MD5:    91452 e5935ccd7c7ce3e9a4c1ce2001dc36b2
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.04.1_amd64.deb
      Size/MD5:    20464 af243aaa50a5501cce0f200e8a0c7750

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.04.1_i386.deb
      Size/MD5:   250856 bb7f5405cfc95892c399bc898b8c86c0
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.04.1_i386.deb
      Size/MD5:   197928 3c68a3a2e4989c1d74fd85919de4bcc9
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.04.1_i386.deb
      Size/MD5:    91100 6ae343ec05a9857b04f92aa724f843ad
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.04.1_i386.deb
      Size/MD5:    19534 c0f4ffd9a29c6890122a70fb8267c6c0

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.04.1_powerpc.deb
      Size/MD5:   257568 7896530f0615dd4c680d4d03f75ba576
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.04.1_powerpc.deb
      Size/MD5:   201742 2f4a75504ff4d87b28576238a8958198
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.04.1_powerpc.deb
      Size/MD5:    94300 60068d42904cdb54e6f6a5115592cf3b
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.04.1_powerpc.deb
      Size/MD5:    22686 4100af5f9edaf66efe2727ff06bc51d8

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.04.1_sparc.deb
      Size/MD5:   252112 d059e10ad36241a1d5a9a508ec735fe0
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.04.1_sparc.deb
      Size/MD5:   199448 3c5b576388d7d2844bcc54c348a4101d
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.04.1_sparc.deb
      Size/MD5:    89960 abb894a69d08221a90056996187b49f8
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.04.1_sparc.deb
      Size/MD5:    20404 3c4d38c9d2221f5b222c996e2d29102c

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.7.10.1.diff.gz
      Size/MD5:    10689 6365e91923f762cb60c0f4f28b8d0460
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4-0ubuntu0.7.10.1.dsc
      Size/MD5:      696 b090e57fbe0322b2f41bcc71f948fd7f
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_7.4.orig.tar.gz
      Size/MD5:  1106897 de886b22cddc8eaf620a421d3041ee0b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.10.1_amd64.deb
      Size/MD5:   255484 d898fba576450cd6ab06a7847fdb6649
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.10.1_amd64.deb
      Size/MD5:   205306 5b55120ebc3d99bcbe5a6f88ee18cbba
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.10.1_amd64.deb
      Size/MD5:    91228 c7c5be0cc3beb749681dbe8bfefc5dd6
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.10.1_amd64.deb
      Size/MD5:    20420 f78aba0fafcd102df0514c7db36d77dc

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.10.1_i386.deb
      Size/MD5:   251024 e9c2c5baff1728f9935bf391dbee6dca
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.10.1_i386.deb
      Size/MD5:   204256 a5e225e3278e383eabcaa2cec8713161
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.10.1_i386.deb
      Size/MD5:    90914 0c99fd00bec685fa89f75cb852903b78
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.10.1_i386.deb
      Size/MD5:    19482 2032fe8a6dd6a02a4c2c5d9df052c52f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.10.1_powerpc.deb
      Size/MD5:   257600 2eecf3225a0182b2895c5bd10de2df89
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.10.1_powerpc.deb
      Size/MD5:   208024 e6ea026dd56cd613e13b5028fb49d998
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.10.1_powerpc.deb
      Size/MD5:    94210 0ee006a42190a404c8d59b3cfd4fffec
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.10.1_powerpc.deb
      Size/MD5:    22656 34ed68af2083e1516cf508c906504705

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_7.4-0ubuntu0.7.10.1_sparc.deb
      Size/MD5:   252250 d38d41d35e77b30acaa020deb3398c10
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_7.4-0ubuntu0.7.10.1_sparc.deb
      Size/MD5:   205744 b138bf8b4b4f3c89d9f903fbe52f8149
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcrecpp0_7.4-0ubuntu0.7.10.1_sparc.deb
      Size/MD5:    89800 2088854f7c82f267c8e4c40e481109cf
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_7.4-0ubuntu0.7.10.1_sparc.deb
      Size/MD5:    20364 c6453310b30d9847336b8c092c510138


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ