The following packages (and others) could contain the vulnerable libpcre
nmap (Fyodor reports that nmap is safe though)
I'm not sure which uses the included one and which uses the external one.
They are vulnerable only if they use untrusted inputs as PCRE.
nmap and postfix ebuilds have a libpcre depend.
A bug was opened for PHP (Mandriva released an advisory). That leaves us with
the following to analyze :
+ do a more thorough check to find others ?
Bug 103894 opened to track exim
gnumeric and Python bugs opened after Mandriva disclosure.
Keeping this bug to track Apache.
The idea would be to link to the system libpcre rather than using the
Fixed in Apache httpd 2.0.55-dev :
low: PCRE overflow CAN-2005-2491
An integer overflow flaw was found in PCRE, a Perl-compatible regular
expression library included within httpd. A local user who has the ability to
create .htaccess files could create a maliciously crafted regular expression in
such as way that they could gain the privileges of a httpd child.
Patch at :
I don't believe that patch will apply cleanly, since it is against PCRE 5.0, not
3.9 that httpd-2.0 comes with.
Ah. I apparently got lost in the branches.
This one should apply better to 2.0:
If someone else from the apache herd doesn't step up to fix this, I'll take care
of it this weekend.
New ebuilds in CVS.
Apache 2 old-style should upgrade to:
Apache 2 new-style should upgrade to:
Handling stable marking on bug #104807