[OpenPKG-SA-2005.018] OpenPKG Security Advisory (pcre)

From: OpenPKG (openpkg_at_openpkg.org)
Date: 09/05/05

  • Next message: unsecure_at_writeme.com: "USB Lock Auto-Protect v1.5 - Local Password Encryption Weakness"
    Date: Mon, 5 Sep 2005 18:10:36 +0200
    To: bugtraq@securityfocus.com

    Hash: SHA1


    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-security@openpkg.org openpkg@openpkg.org
    OpenPKG-SA-2005.018 05-Sep-2005

    Package: pcre
    Vulnerability: arbitrary code execution
    OpenPKG Specific: no

    Affected Releases: Affected Packages: Corrected Packages:
    OpenPKG CURRENT <= pcre-6.1-20050622 >= pcre-6.2-20050802
                         <= exim-4.52-20050701 >= exim-4.52-20050905
                         <= fsl-1.6.0-20050808 >= fsl-1.6.0-20050905
                         <= hypermail-2.1.8-20050324 >= hypermail-2.1.8-20050905
                         <= l2-0.9.10-20050615 >= l2-0.9.10-20050905
                         <= str-0.9.10-20050615 >= str-0.9.10-20050905
                         <= lmtp2nntp-1.3.0-20050615 >= lmtp2nntp-1.3.0-20050905
                         <= tin-1.6.2-20040207 >= tin-1.6.2-20050905
                         <= wml-2.0.9-20050617 >= wml-2.0.9-20050905
    OpenPKG 2.4 <= pcre-6.0-2.4.0 >= pcre-6.0-2.4.1
                         <= exim-4.51-2.4.0 >= exim-4.51-2.4.1
                         <= fsl-1.6.0-2.4.0 >= fsl-1.6.0-2.4.1
                         <= hypermail-2.1.8-2.4.0 >= hypermail-2.1.8-2.4.1
                         <= l2-0.9.10-2.4.0 >= l2-0.9.10-2.4.1
                         <= str-0.9.10-2.4.0 >= str-0.9.10-2.4.1
                         <= lmtp2nntp-1.3.0-2.4.0 >= lmtp2nntp-1.3.0-2.4.1
                         <= tin-1.6.2-2.4.0 >= tin-1.6.2-2.4.1
                         <= wml-2.0.9-2.4.0 >= wml-2.0.9-2.4.1
    OpenPKG 2.3 <= pcre-5.0-2.3.0 >= pcre-5.0-2.3.1
                         <= exim-4.50-2.3.0 >= exim-4.50-2.3.1
                         <= fsl-1.6.0-2.3.2 >= fsl-1.6.0-2.3.3
                         <= hypermail-2.1.8-2.3.0 >= hypermail-2.1.8-2.3.1
                         <= l2-0.9.10-2.3.1 >= l2-0.9.10-2.3.2
                         <= str-0.9.10-2.3.1 >= str-0.9.10-2.3.2
                         <= lmtp2nntp-1.3.0-2.3.1 >= lmtp2nntp-1.3.0-2.3.2
                         <= tin-1.6.2-2.3.0 >= tin-1.6.2-2.3.1
                         <= wml-2.0.9-2.3.1 >= wml-2.0.9-2.3.2

    Dependent Packages: aide analog apache apachetop arpd cfengine cvs
                         cvsd dbtool dhcp-agent dhcpd diogene87 dnrd
                         drac ethereal ettercap flowd flowtools gated
                         grep honeyd imapd inetutils inn ircd kde-libs
                         kerberos kermit lighttpd mixmaster monit msntp
                         nagios nessus-tool ngircd nntpcache nsd ntp
                         openldap openssh openvpn petidomo php php5 pks
                         portfwd portsentry postfix pound powerdns privoxy
                         prngd procmail pureftpd qpopper r rbldnsd rdist
                         samhain sasl scponly sendmail smtpfeed snmp snort
                         softflowd sophie spamassassin squid ssmtp stunnel
                         sudo sysmon tacacs teapop tftp thttpd tinyproxy
                         tripwire ucarp whoson

      An integer overflow problem was discovered in the Perl Compatible
      Regular Expressions (PCRE) [1] library, version 6.2 and earlier.
      The problem allows a remote or local attacker to execute arbitrary
      code by causing a heap-based buffer overflow via quantifier values
      in regular expressions. As PCRE is a popular library, this problem
      affects many applications. The Common Vulnerabilities and Exposures
      (CVE) project assigned the id CAN-2005-2491 [2] to the problem.

      Please check whether you are affected by running "<prefix>/bin/openpkg
      rpm -q pcre". If you have the "pcre" package installed and its version
      is affected (see above), we recommend that you immediately upgrade it
      (see Solution) and its dependent packages (see above), too [3][4].

      Select the updated source RPM appropriate for your OpenPKG release
      [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
      location, verify its integrity [9], build a corresponding binary RPM
      from it [3] and update your OpenPKG installation by applying the
      binary RPM [4]. For the most recent release OpenPKG 2.4, perform the
      following operations to permanently fix the security problem (for
      other releases adjust accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/2.4/UPD
      ftp> get pcre-6.0-2.4.1.src.rpm
      ftp> bye
      $ <prefix>/bin/openpkg rpm -v --checksig pcre-6.0-2.4.1.src.rpm
      $ <prefix>/bin/openpkg rpm --rebuild pcre-6.0-2.4.1.src.rpm
      $ su -
      # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/pcre-6.0-2.4.1.*.rpm

      Additionally, we recommend that you rebuild and reinstall
      all dependent packages (see above), too [3][4].

      [1] http://www.pcre.org/
      [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
      [3] http://www.openpkg.org/tutorial.html#regular-source
      [4] http://www.openpkg.org/tutorial.html#regular-binary
      [5] ftp://ftp.openpkg.org/release/2.4/UPD/pcre-6.0-2.4.1.src.rpm
      [6] ftp://ftp.openpkg.org/release/2.3/UPD/pcre-5.0-2.3.1.src.rpm
      [7] ftp://ftp.openpkg.org/release/2.4/UPD/
      [8] ftp://ftp.openpkg.org/release/2.3/UPD/
      [9] http://www.openpkg.org/security.html#signature

    For security reasons, this advisory was digitally signed with the
    OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
    OpenPKG project which you can retrieve from http://pgp.openpkg.org and
    hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
    for details on how to verify the integrity of this advisory.

    Comment: OpenPKG <openpkg@openpkg.org>

    -----END PGP SIGNATURE-----

  • Next message: unsecure_at_writeme.com: "USB Lock Auto-Protect v1.5 - Local Password Encryption Weakness"