Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 103554 - net-www/apache: vulnerability in included libpcre (CAN-2005-2491)
Summary: net-www/apache: vulnerability in included libpcre (CAN-2005-2491)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on: 104807
Blocks:
  Show dependency tree
 
Reported: 2005-08-23 22:12 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-09-19 01:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-08-23 22:12:57 UTC
The following packages (and others) could contain the vulnerable libpcre 
library: 
 
exim 
Python 
gnumeric 
apache 
nmap (Fyodor reports that nmap is safe though) 
postfix 
php 
.... 
 
I'm not sure which uses the included one and which uses the external one.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-08-24 07:09:25 UTC
They are vulnerable only if they use untrusted inputs as PCRE.
nmap and postfix ebuilds have a libpcre depend.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-08-27 01:52:34 UTC
A bug was opened for PHP (Mandriva released an advisory). That leaves us with
the following to analyze :

exim 
Python 
gnumeric 
apache 

+ do a more thorough check to find others ?
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-08-27 02:10:46 UTC
Bug 103894 opened to track exim
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-08-28 01:12:36 UTC
gnumeric and Python bugs opened after Mandriva disclosure.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-08-31 02:18:36 UTC
Keeping this bug to track Apache.
The idea would be to link to the system libpcre rather than using the
included-in-Apache-sources one.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-06 01:32:42 UTC
Fixed in Apache httpd 2.0.55-dev :
  low: PCRE overflow CAN-2005-2491
  An integer overflow flaw was found in PCRE, a Perl-compatible regular
expression library included within httpd. A local user who has the ability to
create .htaccess files could create a maliciously crafted regular expression in
such as way that they could gain the privileges of a httpd child.

Patch at :
http://svn.apache.org/viewcvs?rev=233493&view=rev
Comment 7 Paul Querna 2005-09-06 08:39:41 UTC
I don't believe that patch will apply cleanly, since it is against PCRE 5.0, not
3.9 that httpd-2.0 comes with.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-06 09:04:08 UTC
Ah. I apparently got lost in the branches.

This one should apply better to 2.0:
http://people.apache.org/~jorton/CAN-2005-2491.patch
Comment 9 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-09-08 16:41:04 UTC
If someone else from the apache herd doesn't step up to fix this, I'll take care
of it this weekend.
Comment 10 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-09-10 15:49:22 UTC
New ebuilds in CVS.

Apache 2 old-style should upgrade to:
=net-www/apache-2.0.54-r15

Apache 2 new-style should upgrade to:
=net-www/apache-2.0.54-r30
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-10 23:36:20 UTC
Handling stable marking on bug #104807 
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-19 01:33:26 UTC
GLSA 200509-12