From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Description of problem: From CAN-2005-2491: "Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow." Version-Release number of selected component (if applicable): How reproducible: Didn't try Additional info: Per David Eisenstein <deisenst> * pcre library (FL bug already opened: Bugzilla # 168516): Ref: Bugzilla 166330 (RHEL) - CAN-2005-2491 PCRE heap overflow <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166330> Ref: RHSA-2005:761 - Moderate: pcre security update <http://rhn.redhat.com/errata/RHSA-2005-761.html>). Ref: FEDORA-2005-802, Fedora Core 3 Update: pcre-4.5-3.1.1.fc3 Notification at <http://tinyurl.com/ajafx> Ref: FEDORA-2005-803, Fedora Core 4 Update: pcre-5.0-4.1.fc4 Notification at <http://tinyurl.com/cv94u> Our affected Packages: RH7.3: 265407 Apr 17 2002 pcre-3.9-2.src.rpm RH9: 266725 Feb 24 2003 pcre-3.9-10.src.rpm FC1: 346767 Oct 28 2003 pcre-4.4-1.src.rpm FC2: 355225 May 06 2004 pcre-4.5-2.src.rpm * python Ref: Bugzilla 166335 (RHEL) - CAN-2005-2491 PCRE heap overflow Ref: Bugzilla 168318 (FC3) - CAN-2005-2491 PCRE heap overflow -- Looks like RH Security team is assessing Python's vulnera- bility to this. Both Bugzilla items are still open. -- FL already has Python Bugzilla, # 152897, for another issue. Maybe we could fold this one in with it, if this is truly a vulnerability. Our potentially affected packages: RH7.3 updates: 3296238 Feb 12 2003 python-1.5.2-43.73.src.rpm RH7.3 updates: 6954498 Feb 12 2003 python2-2.2.2-11.7.3.src.rpm RH9: 6968043 Feb 25 2003 python-2.2.2-26.src.rpm FC1: 7008684 Jan 06 2004 python-2.2.3-7.src.rpm FC2: 7503689 May 07 2004 python-2.3.3-6.src.rpm
"Tiny urls" in the original report resolve respectively to http://www.redhat.com/archives/fedora-announce-list/2005-August/msg00111.html and http://www.redhat.com/archives/fedora-announce-list/2005-August/msg00112.html These are notifications about updates of PCRE packages and not Python ones. Legacy bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152897 is another Python issue and at this moment it is still open.
Contrary to what the title of this report says that bug affects not only python2.2 (as clearly suggested in a text of the report itself). Currently there are available sources packages for RH7.3: ftp://ftp.harddata.com/pub/Legacy_packages/python-1.5.2-43.73.1.legacy.src.rpm ftp://ftp.harddata.com/pub/Legacy_packages/python2-2.2.2-11.7.3.1.legacy.src.rpm with patches for CAN-2005-2491. The one for python2 also fixes CAN-2005-0089 (#152897) and other issues. Patches for other packages from other distributions will be likely very similar to that one used for in 'python2'. At least 'neat' still works after updates from binaries produced with the above and all the code there doing the real work is written in Python. :-)
Have suggested in Bug #152897 that we also handle the CAN-2005-0089 issue here so we can get both bugs fixed at the same time in the same Bug Report. To that end I have made bug #152897 depend on this one.
FYI: renamed from "python2.2 integer overflow" to "CAN-2005-0089 CAN-2005-2491 python multiple security issues"
*** Bug 152897 has been marked as a duplicate of this bug. ***
This bug also affects FC3. From Bug #168318: Comment #1 From David Eisenstein on 2006-02-05 06:27 EST -------------------------------------------------------- "Reassigning to Fedora Legacy. Still not sure if this affects us or not.... Josh, do you know what you all eventually did with this bug for other distros?" Comment #2 From Josh Bressers (Security Response Team) on 2006-02-05 08:21 EST ------------------------------------------------------------------------------ "This issue didn't affect FC4, but does affect RHEL. We have an update in progress. Note the ability to exploit this issue is seriously mitigated by how PCRE is used in a python script which processes unsanitized user input." Should we close #168318 as a DUP of this one so we can track FC3 here also?
Note that RHEL's bug report on the CVE-2005-2491 issue, Bug #166335, is in process with a proposed patch. From that bug: Comment #7 From Mihai Ibanescu on 2006-01-20 18:41 EST ------------------------------------------------------- Created an attachment (id=123511) Proposed patch Pending testing of patch / unit tests.
Red Hat Linux and Fedora Core releases <=4 are now completely unmaintained. These bugs can't be fixed in these versions. If the issue still persists in current Fedora Core releases, please reopen. Thank you, and sorry about this.