Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 103337

Summary: <=dev-libs/libpcre-6.1 - Heap Overflow May Let Users Execute Arbitrary Code
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: eradicator
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa] DerCorny
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Maybe a bit lame, but helps till the real ebuild comes none

Description Carsten Lohrke (RETIRED) gentoo-dev 2005-08-22 06:51:19 UTC 
A remote or local user may be able to supply a specially crafted regular
expression to trigger a heap integer overflow in PCRE.

http://www.securitytracker.com/alerts/2005/Aug/1014744.html
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-08-22 06:59:48 UTC 
"Applications that parse untrusted regular expressions may be vulnerable."
Not sure that's very common. Should of course be fixed nevertheless.
Comment 2 Andreas Waschbuesch 2005-08-22 08:41:04 UTC 
PCRE 6.3 is available:

ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
Comment 3 Peter Schölzer 2005-08-22 09:55:08 UTC 
Created attachment 66565 [details]
Maybe a bit lame, but helps till the real ebuild comes
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2005-08-22 13:39:31 UTC 
6.3 is in portage.

What's the m68k alias?
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-08-23 00:55:49 UTC 
stable on ppc64
Comment 6 Aaron Walker (RETIRED) gentoo-dev 2005-08-23 10:14:26 UTC 
stable on mips.
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-23 11:12:43 UTC 
Stable on ppc, added vapier for m68k.
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-23 11:19:03 UTC 
Also stable on hppa.
Comment 9 Fabian Groffen gentoo-dev 2005-08-23 11:22:03 UTC 
stable on ppc-macos
Comment 10 Fernando J. Pereda (RETIRED) gentoo-dev 2005-08-23 12:42:26 UTC 
We came, we tested, we alpha'd.

Cheers,
Ferdy
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-23 12:48:25 UTC 
Security covered arches stable, ready for GLSA.
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-25 12:03:23 UTC 
GLSA 200508-17
Thanks to everybody involved.
Comment 13 Carsten Lohrke (RETIRED) gentoo-dev 2005-08-25 12:30:41 UTC 
Minor issue: The GLSA says <6.3 is affected, but from the annnouncement it's <6.2.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-25 12:38:42 UTC 
I don't think we've ever had a 6.2 in Portage.