<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2005.018] OpenPKG Security Advisory (pcre)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@xxxxxxxxxxx                         openpkg@xxxxxxxxxxx
OpenPKG-SA-2005.018                                          05-Sep-2005
________________________________________________________________________

Package:             pcre
Vulnerability:       arbitrary code execution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= pcre-6.1-20050622        >= pcre-6.2-20050802
                     <= exim-4.52-20050701       >= exim-4.52-20050905
                     <= fsl-1.6.0-20050808       >= fsl-1.6.0-20050905
                     <= hypermail-2.1.8-20050324 >= hypermail-2.1.8-20050905
                     <= l2-0.9.10-20050615       >= l2-0.9.10-20050905
                     <= str-0.9.10-20050615      >= str-0.9.10-20050905
                     <= lmtp2nntp-1.3.0-20050615 >= lmtp2nntp-1.3.0-20050905
                     <= tin-1.6.2-20040207       >= tin-1.6.2-20050905
                     <= wml-2.0.9-20050617       >= wml-2.0.9-20050905
OpenPKG 2.4          <= pcre-6.0-2.4.0           >= pcre-6.0-2.4.1        
                     <= exim-4.51-2.4.0          >= exim-4.51-2.4.1       
                     <= fsl-1.6.0-2.4.0          >= fsl-1.6.0-2.4.1       
                     <= hypermail-2.1.8-2.4.0    >= hypermail-2.1.8-2.4.1 
                     <= l2-0.9.10-2.4.0          >= l2-0.9.10-2.4.1       
                     <= str-0.9.10-2.4.0         >= str-0.9.10-2.4.1      
                     <= lmtp2nntp-1.3.0-2.4.0    >= lmtp2nntp-1.3.0-2.4.1 
                     <= tin-1.6.2-2.4.0          >= tin-1.6.2-2.4.1       
                     <= wml-2.0.9-2.4.0          >= wml-2.0.9-2.4.1       
OpenPKG 2.3          <= pcre-5.0-2.3.0           >= pcre-5.0-2.3.1
                     <= exim-4.50-2.3.0          >= exim-4.50-2.3.1
                     <= fsl-1.6.0-2.3.2          >= fsl-1.6.0-2.3.3
                     <= hypermail-2.1.8-2.3.0    >= hypermail-2.1.8-2.3.1
                     <= l2-0.9.10-2.3.1          >= l2-0.9.10-2.3.2
                     <= str-0.9.10-2.3.1         >= str-0.9.10-2.3.2
                     <= lmtp2nntp-1.3.0-2.3.1    >= lmtp2nntp-1.3.0-2.3.2
                     <= tin-1.6.2-2.3.0          >= tin-1.6.2-2.3.1
                     <= wml-2.0.9-2.3.1          >= wml-2.0.9-2.3.2

Dependent Packages:  aide analog apache apachetop arpd cfengine cvs
                     cvsd dbtool dhcp-agent dhcpd diogene87 dnrd
                     drac ethereal ettercap flowd flowtools gated
                     grep honeyd imapd inetutils inn ircd kde-libs
                     kerberos kermit lighttpd mixmaster monit msntp
                     nagios nessus-tool ngircd nntpcache nsd ntp
                     openldap openssh openvpn petidomo php php5 pks
                     portfwd portsentry postfix pound powerdns privoxy
                     prngd procmail pureftpd qpopper r rbldnsd rdist
                     samhain sasl scponly sendmail smtpfeed snmp snort
                     softflowd sophie spamassassin squid ssmtp stunnel
                     sudo sysmon tacacs teapop tftp thttpd tinyproxy
                     tripwire ucarp whoson

Description:
  An integer overflow problem was discovered in the Perl Compatible
  Regular Expressions (PCRE) [1] library, version 6.2 and earlier.
  The problem allows a remote or local attacker to execute arbitrary
  code by causing a heap-based buffer overflow via quantifier values
  in regular expressions. As PCRE is a popular library, this problem
  affects many applications. The Common Vulnerabilities and Exposures
  (CVE) project assigned the id CAN-2005-2491 [2] to the problem.

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q pcre". If you have the "pcre" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) and its dependent packages (see above), too [3][4].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
  binary RPM [4]. For the most recent release OpenPKG 2.4, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.4/UPD
  ftp> get pcre-6.0-2.4.1.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig pcre-6.0-2.4.1.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild pcre-6.0-2.4.1.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/pcre-6.0-2.4.1.*.rpm

  Additionally, we recommend that you rebuild and reinstall
  all dependent packages (see above), too [3][4].
________________________________________________________________________

References:
  [1] http://www.pcre.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/2.4/UPD/pcre-6.0-2.4.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/2.3/UPD/pcre-5.0-2.3.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/2.4/UPD/
  [8] ftp://ftp.openpkg.org/release/2.3/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFDHG3jgHWT4GPEy58RAlJ6AKCRpeXSjDgtyjThecNIWmFY+kLWqwCg5tR0
TboY1Zy6BjvYZzjPLE4dH6Q=
=mj3k
-----END PGP SIGNATURE-----