LWN.net Logo

Advertisement

Developers Wanted

Aztek Networks. Linux, C++ developers wanted. Embedded, Power-PC target.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.

Recent Features

LWN.net Weekly Edition for May 15, 2008

Distributed bug tracking

A Talk with Fedora Project Leader Paul Frields

LWN.net Weekly Edition for May 8, 2008

Blizzard tests the reach of copyright law

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Fedora alert FEDORA-2008-1842 (pcre)



From:
    	      updates@fedoraproject.org


To:
    	      fedora-package-announce@redhat.com


Subject:
    	      [SECURITY] Fedora 7 Update: pcre-7.3-3.fc7


Date:
    	      Thu, 06 Mar 2008 16:37:25 +0000


Message-ID:
    	      <200803061638.m26GbuvK013264@bastion.fedora.phx.redhat.com>


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-1842
2008-03-06 16:11:59
--------------------------------------------------------------------------------

Name        : pcre
Product     : Fedora 7
Version     : 7.3
Release     : 3.fc7
URL         : http://www.pcre.org/
Summary     : Perl-compatible regular expression library
Description :
Perl-compatible regular expression library.
PCRE has its own native API, but a set of "wrapper" functions that are based on
the POSIX API are also supplied in the library libpcreposix. Note that this
just provides a POSIX calling interface to PCRE: the regular expressions
themselves still follow Perl syntax and semantics. The header file
for the POSIX-style functions is called pcreposix.h.

--------------------------------------------------------------------------------
Update Information:

This update re-based pcre to version 7.3 as used in Fedora 8 to address multiple
security issues that cause memory corruption, leading to application crash or
possible execution of arbitrary code.    CVE-2007-1659 (#315871), CVE-2007-1661
(#392931), CVE-2007-1662 (#392921), CVE-2007-4766 (#392891), CVE-2007-4767
(#392901), CVE-2007-4768 (#392911), CVE-2008-0674 (#431660)    This issue may
affect usages of pcre, where regular expressions from untrusted sources are
compiled.  Handling of untrusted data using trusted regular expressions is not
affected by these problems.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 12 2008 Tomas Hoger <thoger@redhat.com> - 7.3-3
- Backport patch from upstream pcre 7.6 to address buffer overflow
  caused by "a character class containing a very large number of
  characters with codepoints greater than 255 (in UTF-8 mode)"
  CVE-2008-0674, #431660
- Try re-enabling make check again.
* Fri Nov 16 2007 Stepan Kasal <skasal@redhat.com> - 7.3-2
- Remove obsolete ``reqs''
- add dist tag
- update BuildRoot
* Mon Sep 17 2007 Than Ngo <than@redhat.com> - 7.3-1
- bz292501, update to 7.3
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #315871 - CVE-2007-1659 pcre regular expression flaws
        https://bugzilla.redhat.com/show_bug.cgi?id=315871
  [ 2 ] Bug #392891 - CVE-2007-4766: pcre < 7.3 integer overflows
        https://bugzilla.redhat.com/show_bug.cgi?id=392891
  [ 3 ] Bug #392901 - CVE-2007-4767: pcre < 7.3 \p, \P, \P{x] length calculation issue
        https://bugzilla.redhat.com/show_bug.cgi?id=392901
  [ 4 ] Bug #392911 - CVE-2007-4768: pcre before 7.3 incorrect unicode in char class optimization
        https://bugzilla.redhat.com/show_bug.cgi?id=392911
  [ 5 ] Bug #392921 - CVE-2007-1662: pcre < 7.3 unmatched bracket/paren past EoS read issue
        https://bugzilla.redhat.com/show_bug.cgi?id=392921
  [ 6 ] Bug #392931 - CVE-2007-1661: pcre < 7.3 non-UTF-8 over-backtracking issue
        https://bugzilla.redhat.com/show_bug.cgi?id=392931
  [ 7 ] Bug #431660 - pcre: buffer overflow via large UTF-8 character class
        https://bugzilla.redhat.com/show_bug.cgi?id=431660
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update pcre' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.