Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 103554 - net-www/apache: vulnerability in included libpcre (CAN-2005-2491)
Summary: net-www/apache: vulnerability in included libpcre (CAN-2005-2491)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] jaervosz
Depends on: 104807
  Show dependency tree
Reported: 2005-08-23 22:12 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-09-19 01:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-23 22:12:57 UTC
The following packages (and others) could contain the vulnerable libpcre 
nmap (Fyodor reports that nmap is safe though) 
I'm not sure which uses the included one and which uses the external one.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-08-24 07:09:25 UTC
They are vulnerable only if they use untrusted inputs as PCRE.
nmap and postfix ebuilds have a libpcre depend.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-08-27 01:52:34 UTC
A bug was opened for PHP (Mandriva released an advisory). That leaves us with
the following to analyze :


+ do a more thorough check to find others ?
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-08-27 02:10:46 UTC
Bug 103894 opened to track exim
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-08-28 01:12:36 UTC
gnumeric and Python bugs opened after Mandriva disclosure.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-08-31 02:18:36 UTC
Keeping this bug to track Apache.
The idea would be to link to the system libpcre rather than using the
included-in-Apache-sources one.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-06 01:32:42 UTC
Fixed in Apache httpd 2.0.55-dev :
  low: PCRE overflow CAN-2005-2491
  An integer overflow flaw was found in PCRE, a Perl-compatible regular
expression library included within httpd. A local user who has the ability to
create .htaccess files could create a maliciously crafted regular expression in
such as way that they could gain the privileges of a httpd child.

Patch at :
Comment 7 Paul Querna 2005-09-06 08:39:41 UTC
I don't believe that patch will apply cleanly, since it is against PCRE 5.0, not
3.9 that httpd-2.0 comes with.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-06 09:04:08 UTC
Ah. I apparently got lost in the branches.

This one should apply better to 2.0:
Comment 9 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-09-08 16:41:04 UTC
If someone else from the apache herd doesn't step up to fix this, I'll take care
of it this weekend.
Comment 10 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-09-10 15:49:22 UTC
New ebuilds in CVS.

Apache 2 old-style should upgrade to:

Apache 2 new-style should upgrade to:
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-10 23:36:20 UTC
Handling stable marking on bug #104807 
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-19 01:33:26 UTC
GLSA 200509-12