Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198198 - dev-libs/libpcre < 7.3-r1 Multiple memory corruptions (CVE-2006-{7224,7227,7228,7230},CVE-2007-{1659,1660,1661,1662,4766,4767,4768})
Summary: dev-libs/libpcre < 7.3-r1 Multiple memory corruptions (CVE-2006-{7224,7227,72...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27543/
Whiteboard: A2 [glsa]
Keywords:
Depends on: 195416
Blocks:
  Show dependency tree
 
Reported: 2007-11-05 19:55 UTC by Robert Buchholz (RETIRED)
Modified: 2007-11-20 21:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 19:55:03 UTC
Copied from RedHat's BZ:

CVE-2007-1659:
unmatched \Q\E sequences with orphan \E codes can cause the compiled
regex to become desynchronized, resulting in corrupt bytecode that may
result in multiple exploitable conditions. This was inadvertently
fixed by the pcre maintainer in version 7.0, however another case of a
lone \E inside a character class remained, this has been fixed in 7.3

CVE-2007-1660:
multiple forms of character class had their sizes miscalculated on
initial passes, resulting in too little memory being allocated, this
was also inadvertently fixed in version 7.0, where the compile phase
was entirely re-engineered (and much improved, from a security
standpoint).

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-1659
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-1660
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 20:10:40 UTC
According to the comments, 7.3 is unaffected. Stabling takes place in bug #195416 since 2007-10-10. The only missing keywords right now are "arm m68k mips s390 sh".

What's left to do is a GLSA and an audit of other packages that ship code copies, I'm after that.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 17:18:23 UTC
More issues.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-09 10:23:27 UTC
CVE names are public, GLSA request filed.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-20 21:56:32 UTC
GLSA 200711-30