Mandriva: Updated pcre packages fix vulnerability - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

How strictly do your users obey your security policies?

	To the letter.
	For the most part.
	When it suits them.
	By chance.
	Not at all.

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

Emily Ratliff: OS Security

DanWalsh LiveJournal

Security Bloggers Network

Latest Newsletters

Linux Security Week: December 1st, 2008

Linux Advisory Watch: November 28th, 2008

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Mandriva: Updated pcre packages fix vulnerability

User Rating:

How can I rate this item?

Posted by Benjamin D. Thomas

Tavis Ormandy of the Google Security Team discovered a heap-based buffer overflow when compiling certain regular expression patterns. This could be used by a malicious attacker by sending a specially crafted regular expression to an application using the PCRE library, resulting in the possible execution of arbitrary code or a denial of service (CVE-2008-2371). The updated packages have been patched to correct this issue.

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:147
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : pcre
 Date    : July 15, 2008
 Affected: 2007.1, 2008.0, 2008.1
 _______________________________________________________________________
 
 Problem Description:
 
 Tavis Ormandy of the Google Security Team discovered a heap-based
 buffer overflow when compiling certain regular expression patterns.
 This could be used by a malicious attacker by sending a specially
 crafted regular expression to an application using the PCRE library,
 resulting in the possible execution of arbitrary code or a denial of
 service (CVE-2008-2371).
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.1:
 a3e3934cb41d04b4a15a3e50d884abbc  2007.1/i586/libpcre0-7.3-0.3mdv2007.1.i586.rpm
 fca86a5adfb2c972f4adb2b99990f3a8  2007.1/i586/libpcre-devel-7.3-0.3mdv2007.1.i586.rpm
 7d81a63b51aea4b3d3385ac5d03f9d69  2007.1/i586/pcre-7.3-0.3mdv2007.1.i586.rpm 
 c258d42150bf39a9f4175b9d17a336cd  2007.1/SRPMS/pcre-7.3-0.3mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 af61b2559878c624ec2c8f293e221fd8  2007.1/x86_64/lib64pcre0-7.3-0.3mdv2007.1.x86_64.rpm
 8be415d8476a87a8994e84db6188395d  2007.1/x86_64/lib64pcre-devel-7.3-0.3mdv2007.1.x86_64.rpm
 4d9fd3c6fbbda0e7e2c6bac3c865ec8d  2007.1/x86_64/pcre-7.3-0.3mdv2007.1.x86_64.rpm 
 c258d42150bf39a9f4175b9d17a336cd  2007.1/SRPMS/pcre-7.3-0.3mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 1c21e71318e14c7362eb673f3d4d4a7e  2008.0/i586/libpcre0-7.3-1.2mdv2008.0.i586.rpm
 d36505e192f28cfd9f4242df50c0e1d1  2008.0/i586/libpcre-devel-7.3-1.2mdv2008.0.i586.rpm
 9ae42fd97fa6dbb0834eae3fe80186fc  2008.0/i586/pcre-7.3-1.2mdv2008.0.i586.rpm 
 3aed84571823dcc78347c5578de8c3ab  2008.0/SRPMS/pcre-7.3-1.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 622f55bf529e5c2a657d871a7e1b45d6  2008.0/x86_64/lib64pcre0-7.3-1.2mdv2008.0.x86_64.rpm
 115746711305143d1be0025478bfccfe  2008.0/x86_64/lib64pcre-devel-7.3-1.2mdv2008.0.x86_64.rpm
 c5eced7185fa66c92753d0e54078fa3a  2008.0/x86_64/pcre-7.3-1.2mdv2008.0.x86_64.rpm 
 3aed84571823dcc78347c5578de8c3ab  2008.0/SRPMS/pcre-7.3-1.2mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 45e7f158494fe2f9cd2b3be3dc4f9c30  2008.1/i586/libpcre0-7.6-2.1mdv2008.1.i586.rpm
 64a7ebd228c824f0eeabfc1de2f3af8f  2008.1/i586/libpcre-devel-7.6-2.1mdv2008.1.i586.rpm
 0637ebeb63a52ff1c6675e6a185aed54  2008.1/i586/pcre-7.6-2.1mdv2008.1.i586.rpm 
 aa16262a74bf569d8184328334bb480c  2008.1/SRPMS/pcre-7.6-2.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 4180d16683a363b7d912bd9af780e4fc  2008.1/x86_64/lib64pcre0-7.6-2.1mdv2008.1.x86_64.rpm
 5cc4e7a0297942f840c000d52b44e93a  2008.1/x86_64/lib64pcre-devel-7.6-2.1mdv2008.1.x86_64.rpm
 70251c4bcaf5847c0c4ff6e534bc30cf  2008.1/x86_64/pcre-7.6-2.1mdv2008.1.x86_64.rpm 
 aa16262a74bf569d8184328334bb480c  2008.1/SRPMS/pcre-7.6-2.1mdv2008.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team

< Prev		Next >

Partner:

Latest Features

A Secure Nagios Server

Never Installed a Firewall on Ubuntu? Try Firestarter

Review: Hacking Exposed Linux, Third Edition

Security Features of Firefox 3.0

Review: The Book of Wireless

April 2008 Open Source Tool of the Month: sudo

Open Source Tool of March: ZoneMinder

Yesterday's Edition

Linux Role in Botnets Studied

10 Mistakes New Linux Administrators Make

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
Security Projects , Latest News , Newsletters , SELinux , Privacy , Home,
Hardening , About Us, Advertise, Legal Notice, RSS, Guardian Digital