Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 103554
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 103554 depends on: 104807 Show dependency tree
Bug 103554 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-08-23 22:12 0000 
The following packages (and others) could contain the vulnerable libpcre 
library: 
 
exim 
Python 
gnumeric 
apache 
nmap (Fyodor reports that nmap is safe though) 
postfix 
php 
.... 
 
I'm not sure which uses the included one and which uses the external one.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-08-24 07:09:25 0000 ------- 
They are vulnerable only if they use untrusted inputs as PCRE.
nmap and postfix ebuilds have a libpcre depend.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-08-27 01:52:34 0000 ------- 
A bug was opened for PHP (Mandriva released an advisory). That leaves us with
the following to analyze :

exim 
Python 
gnumeric 
apache 

+ do a more thorough check to find others ?

------- Comment #3 From Thierry Carrez (RETIRED) 2005-08-27 02:10:46 0000 ------- 
Bug 103894 opened to track exim

------- Comment #4 From Thierry Carrez (RETIRED) 2005-08-28 01:12:36 0000 ------- 
gnumeric and Python bugs opened after Mandriva disclosure.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-08-31 02:18:36 0000 ------- 
Keeping this bug to track Apache.
The idea would be to link to the system libpcre rather than using the
included-in-Apache-sources one.

------- Comment #6 From Thierry Carrez (RETIRED) 2005-09-06 01:32:42 0000 ------- 
Fixed in Apache httpd 2.0.55-dev :
  low: PCRE overflow CAN-2005-2491
  An integer overflow flaw was found in PCRE, a Perl-compatible regular
expression library included within httpd. A local user who has the ability to
create .htaccess files could create a maliciously crafted regular expression in
such as way that they could gain the privileges of a httpd child.

Patch at :
http://svn.apache.org/viewcvs?rev=233493&view=rev

------- Comment #7 From Paul Querna 2005-09-06 08:39:41 0000 ------- 
I don't believe that patch will apply cleanly, since it is against PCRE 5.0,
not
3.9 that httpd-2.0 comes with.

------- Comment #8 From Thierry Carrez (RETIRED) 2005-09-06 09:04:08 0000 ------- 
Ah. I apparently got lost in the branches.

This one should apply better to 2.0:
http://people.apache.org/~jorton/CAN-2005-2491.patch

------- Comment #9 From Michael Stewart (vericgar) (RETIRED) 2005-09-08 16:41:04 0000 ------- 
If someone else from the apache herd doesn't step up to fix this, I'll take
care
of it this weekend.

------- Comment #10 From Michael Stewart (vericgar) (RETIRED) 2005-09-10 15:49:22 0000 ------- 
New ebuilds in CVS.

Apache 2 old-style should upgrade to:
=net-www/apache-2.0.54-r15

Apache 2 new-style should upgrade to:
=net-www/apache-2.0.54-r30

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-09-10 23:36:20 0000 ------- 
Handling stable marking on bug #104807

------- Comment #12 From Thierry Carrez (RETIRED) 2005-09-19 01:33:26 0000 ------- 
GLSA 200509-12
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug