Bug 431660 (CVE-2008-0674)

Summary: CVE-2008-0674 pcre: buffer overflow via large UTF-8 character class
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kasal, mclasen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 7.3-3.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-06 16:37:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 431676, 431677, 431678, 431679, 431680    
Bug Blocks:    
Attachments:
Description Flags
Probable patch none

Description Tomas Hoger 2008-02-06 08:58:26 UTC 
PCRE 7.6 fixed following bug:

1.  A character class containing a very large number of characters with
    codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer
    overflow.

(http://pcre.org/changelog.txt)
Comment 2 Tomas Hoger 2008-02-06 09:15:21 UTC 
Created attachment 294082 [details]
Probable patch

Diff between 7.5 and 7.6 stripped to what seems to be a patch for this issue.
Comment 6 Tomas Hoger 2008-02-06 14:27:52 UTC 
This issue only affects PCRE versions 7.0 and newer.

PCRE versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5 are not
affected.
Comment 7 Fedora Update System 2008-02-13 05:02:04 UTC 
glib2-2.14.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-02-15 16:26:42 UTC 
pcre-7.3-3.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-02-15 16:34:46 UTC 
pcre-7.3-3.fc7 has been submitted as an update for Fedora 7
Comment 10 Fedora Update System 2008-02-19 03:14:43 UTC 
pcre-7.3-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-02-19 03:20:29 UTC 
pcre-7.3-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pcre'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F7/FEDORA-2008-1842
Comment 12 Fedora Update System 2008-03-06 16:36:36 UTC 
pcre-7.3-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.