This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 168516 - pcre - CAN-2005-2491 heap buffer overflow
pcre - CAN-2005-2491 heap buffer overflow
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: pcre (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rh73, rh90, 1, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-16 15:24 EDT by Michal Jaegermann
Modified: 2007-04-18 13:31 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 18:30:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
pcre-4.5-CAN-2005-2491.patch fixed for pcre-3.9 (1.29 KB, patch)
2005-10-21 06:28 EDT, Leonard den Ottolander
no flags Details | Diff

  None (edit)
Description Michal Jaegermann 2005-09-16 15:24:46 EDT
Description of problem:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166330
details problems with pcre and their possible impact.  See also
http://rhn.redhat.com/errata/RHSA-2005-761.html

Sources for pcre-3.9-10.2 from RHRL3 updates recompile and work at least
on RH7.3 without any changes save a release identifier.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166330#c4 lists also
other fixed versions.
Comment 1 John Dalbec 2005-09-20 09:51:13 EDT
@RISK digest says:
05.34.8 CVE: CAN-2005-2491
Platform: Unix
Title: PCRE Regular Expression Heap Overflow
Description: PCRE is a set of functions that implement regular
expression pattern matching using the same syntax and semantics as
Perl 5. PCRE is prone to a heap overflow vulnerability. This issue is
due to a failure of the library to properly bounds check user-supplied
data contained in a regular expression, resulting in the possibility
of overflowing the destination heap buffer. PCRE versions 6.1 and
earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/14620 
Comment 2 Leonard den Ottolander 2005-10-21 06:28:29 EDT
Created attachment 120245 [details]
pcre-4.5-CAN-2005-2491.patch fixed for pcre-3.9

All that needs to be done to the 4.5 patch is substituting "digittab[*p]" for
"cd->ctypes[*p]".
Comment 3 Leonard den Ottolander 2005-10-28 07:25:37 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages fixing CAN-2005-2491 can be found at
http://www.ottolander.nl/opensource/rpms/rh73 and
http://www.ottolander.nl/opensource/srpms/rh73 .

a85ccb3a38d8ad06a24d4e4c447514b1  pcre-3.9-3.i386.rpm
77460f9e7e5b5b40b8a75c4d531fa3f3  pcre-devel-3.9-3.i386.rpm
219e5cb99872310ff160b6ea7f486d3b  pcre-3.9-3.src.rpm

* Fri Oct 28 2005 Leonard den Ottolander <leonard agromisa org>
3.9-3
- - Fix CAN-2005-2491
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDYgsGYHiyJbgM3z8RAutdAJwLQXUstVyynGB4wbyd0raZyk+o6wCg6e6Z
f2GhA9Gjwofn0sssO5VwfOI=
=dUFY
-----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2005-10-29 02:17:39 EDT
We'll need proposed packages for other distros as well.
Comment 5 Marc Deslauriers 2006-02-20 18:57:43 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

7ff26b34f64b7dbafe683e957e0c2845fc5aa437  9/pcre-3.9-10.1.legacy.src.rpm
5731669c83e59ebb319e143ec91c8b6b48d0e599  1/pcre-4.4-1.1.legacy.src.rpm
fc16ddc2e3b5675ed7084b81ffda97f452a011a0  2/pcre-4.5-2.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/pcre-3.9-10.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/pcre-4.4-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/pcre-4.5-2.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD+lkoLMAs/0C4zNoRAhImAJ9n8zvLcmylRCV5ugOhgJ0mIcxO0ACfVOEJ
5+hgth26t20IHWEyzS0nGYA=
=LJcB
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2006-02-21 01:53:05 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come or be similar to RHEL
 
Note: ".legacy" should be added to RHL73 package name at build time.
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
2312a89480afaed207d9bdea664041e1e3dc093b  pcre-3.9-3.src.rpm
7ff26b34f64b7dbafe683e957e0c2845fc5aa437  pcre-3.9-10.1.legacy.src.rpm
5731669c83e59ebb319e143ec91c8b6b48d0e599  pcre-4.4-1.1.legacy.src.rpm
fc16ddc2e3b5675ed7084b81ffda97f452a011a0  pcre-4.5-2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD4DBQFD+rnUGHbTkzxSL7QRAjnAAJYrEDTcWGa+YE71eFyjGnNLU1AtAKCSsOK2
EvppJtjxjOjxXk+5ACLvuw==
=YSQ0
-----END PGP SIGNATURE-----
Comment 7 Marc Deslauriers 2006-02-26 11:05:39 EST
Packages were released to updates-testing
Comment 8 Tres Seaver 2006-02-26 14:46:24 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages tested:

  4edc206f1e0fc0c3df459b6f8de289f27417974b  pcre-4.4-1.2.legacy.i386.rpm
  0fcc5801dc238bb1fac0d59b8403e6cdcc72f126  pcre-devel-4.4-1.2.legacy.i386.rpm

  - SHA1 checksums and GPG signatures verified.

  - Packages installed cleanly.

  - Tested pcregrep before and after, with identical results.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEAgYN+gerLs4ltQ4RAoJsAJ9Ga8HNFkq+Jel6aftVPm2LQwT7egCfd5nZ
28abawlWZK7X+kRNjk82n/c=
=aL3S
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2006-02-27 01:31:18 EST
Thanks!
Comment 10 Pekka Savola 2006-03-01 02:41:54 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signatures OK, upgrades OK.
Tested grep which depends on this, works OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEBVD5GHbTkzxSL7QRAhjEAJ9ZarMN5sVa85GEoP1P+etUZWgFjQCgpcGT
L1jdNH04f5t/4FdqIXQV0ls=
=B7Qd
-----END PGP SIGNATURE-----

Timeout shortened to 1 week
Comment 11 Pekka Savola 2006-03-07 02:02:03 EST
Timeout over.
Comment 12 Jim Popovitch 2006-03-07 08:09:04 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VERIFY++ RH73

Works without any noticable errors/concerns.

9b641aa989639c706065bafc146d34bb6e282a22   pcre-3.9-2.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEDYcgMyG7U7lo69MRAoBTAJ41LeTLdnUpiof4u2fb/LKzqmGJAACg1SGP
4ZzSSyLMQ7+5dxqbaBC/pOA=
=vBlY
-----END PGP SIGNATURE-----
Comment 13 Marc Deslauriers 2006-03-07 18:30:49 EST
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.