Debian Bug report logs -
#488919
CVE-2008-2371: heap-based buffer overflow in PCRE
Reported by: Sebastian Dröge <slomo@circular-chaos.org>
Date: Wed, 2 Jul 2008 04:45:02 UTC
Severity: grave
Tags: patch
Found in version 7.6-2
Fixed in versions pcre3/7.4-1+lenny2, pcre3/7.6-2.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>
:
Bug#488919
; Package pcre3
.
(full text, mbox, link).
Acknowledgement sent to Sebastian Dröge <slomo@circular-chaos.org>
:
New Bug report received and forwarded. Copy sent to Mark Baker <mark@mnb.org.uk>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: pcre3
Version: 7.6-2
Severity: grave
Hi,
there was a new GLib release yesterday that updates it's internal pcre
version to 7.7 because of a fix for CVE-2008-2371:
> * Update to PCRE 7.7
> - fix a heap-based buffer overflow in PCRE (CVE-2008-2371)
Please get pcre3 updated soonish, thanks :)
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>
:
Bug#488919
; Package pcre3
.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>
.
(full text, mbox, link).
Message #10 received at 488919@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 488919 patch
thanks
Hi
You can find a patch here[0], which is already in use by gentoo and will be
used by debian in updates.
Cheers
Steffen
[0]: http://bugs.gentoo.org/attachment.cgi?id=157449
[signature.asc (application/pgp-signature, inline)]
Tags added: patch
Request was from Steffen Joeris <steffen.joeris@skolelinux.de>
to control@bugs.debian.org
.
(Sat, 05 Jul 2008 10:30:05 GMT) (full text, mbox, link).
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Sebastian Dröge <slomo@circular-chaos.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 488919-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 7.4-1+lenny2
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive:
libpcre3-dbg_7.4-1+lenny2_amd64.deb
to pool/main/p/pcre3/libpcre3-dbg_7.4-1+lenny2_amd64.deb
libpcre3-dev_7.4-1+lenny2_amd64.deb
to pool/main/p/pcre3/libpcre3-dev_7.4-1+lenny2_amd64.deb
libpcre3-udeb_7.4-1+lenny2_amd64.udeb
to pool/main/p/pcre3/libpcre3-udeb_7.4-1+lenny2_amd64.udeb
libpcre3_7.4-1+lenny2_amd64.deb
to pool/main/p/pcre3/libpcre3_7.4-1+lenny2_amd64.deb
libpcrecpp0_7.4-1+lenny2_amd64.deb
to pool/main/p/pcre3/libpcrecpp0_7.4-1+lenny2_amd64.deb
pcre3_7.4-1+lenny2.diff.gz
to pool/main/p/pcre3/pcre3_7.4-1+lenny2.diff.gz
pcre3_7.4-1+lenny2.dsc
to pool/main/p/pcre3/pcre3_7.4-1+lenny2.dsc
pcregrep_7.4-1+lenny2_amd64.deb
to pool/main/p/pcre3/pcregrep_7.4-1+lenny2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 488919@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 05 Jul 2008 12:58:48 +0200
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source amd64
Version: 7.4-1+lenny2
Distribution: testing-security
Urgency: high
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Nico Golde <nion@debian.org>
Description:
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Closes: 488919
Changes:
pcre3 (7.4-1+lenny2) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update addresses the following security issue:
- CVE-2008-2371: heap overflow in the pcre compiler triggered by
patterns which contain options and multiple branches (Closes: #488919).
Checksums-Sha1:
5e07e35a76bfedbc417488218332fa7dd218f0d5 1014 pcre3_7.4-1+lenny2.dsc
c0c94299107443477077669165fc0b6b0a63ed45 24787 pcre3_7.4-1+lenny2.diff.gz
69ffd0072502b49989a9554f1136b493b37c4cb7 208134 libpcre3_7.4-1+lenny2_amd64.deb
b740b43db13177738b838dbcd7b7e6d130076d42 73358 libpcre3-udeb_7.4-1+lenny2_amd64.udeb
cdb0940bc569054c5b98159bee577b7585b1cc41 90446 libpcrecpp0_7.4-1+lenny2_amd64.deb
ec704820d006ca14306ae3ceabb3e51d196545d1 252480 libpcre3-dev_7.4-1+lenny2_amd64.deb
908dec2cb864f328cec82d7462e16bbf9fa6ab5a 280292 libpcre3-dbg_7.4-1+lenny2_amd64.deb
58e38e90f6324472858d5c352e65276ba320ca67 20400 pcregrep_7.4-1+lenny2_amd64.deb
Checksums-Sha256:
7c8d58dcb5c615d33a8c78203479cbf79ae33d868e68745fd2e52c9b916757af 1014 pcre3_7.4-1+lenny2.dsc
8a2da1da4152b82082396ae8a58ec8b134b3f785971244f553d3b653a984b3ab 24787 pcre3_7.4-1+lenny2.diff.gz
4d5b70a7ec78585d685c8f2d5f795c7a9952bd16a26bfed1f13dc0941882f2f5 208134 libpcre3_7.4-1+lenny2_amd64.deb
d890124d6abfd6afac77eb82aaaafbde2447642d71a0883c7fb9440e17273d87 73358 libpcre3-udeb_7.4-1+lenny2_amd64.udeb
f5c2c61a8b78b0738921f8694298310c7b96adcc4d0fdfb941bea2c8bf3c222c 90446 libpcrecpp0_7.4-1+lenny2_amd64.deb
2dc854f2c964320dd0426290bd0f99167b57c04f7c95476cfd56deacffd34896 252480 libpcre3-dev_7.4-1+lenny2_amd64.deb
c56aa0c290256c2ee5a65a052835cddcffaac5c22dfaf8110a451da46ffa025b 280292 libpcre3-dbg_7.4-1+lenny2_amd64.deb
c102d0d9c8e0755832f7a6f3ad8030ac89305d615a702c40f7a8634a80405fd1 20400 pcregrep_7.4-1+lenny2_amd64.deb
Files:
6930af03bb3d8d22691d6bc07380bf22 1014 libs optional pcre3_7.4-1+lenny2.dsc
d5d38a4a522274b64bd45315ce3878a4 24787 libs optional pcre3_7.4-1+lenny2.diff.gz
b4311424fe2dac815b79452218fbca0a 208134 libs important libpcre3_7.4-1+lenny2_amd64.deb
6990dd5ec89314dc79270a9e5afcf60c 73358 debian-installer important libpcre3-udeb_7.4-1+lenny2_amd64.udeb
9b1d14d969b664c17cbcc756a75cddd3 90446 libs optional libpcrecpp0_7.4-1+lenny2_amd64.deb
9bc9f1286c3f8f507c409711407ba596 252480 libdevel optional libpcre3-dev_7.4-1+lenny2_amd64.deb
34ba96ab310560276b4cab9b4ffe64d1 280292 libdevel optional libpcre3-dbg_7.4-1+lenny2_amd64.deb
b8a03b70769a3e3763008f590026022d 20400 utils optional pcregrep_7.4-1+lenny2_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhvXVAACgkQHYflSXNkfP+zzACgniuiCbb6mVrERCYia8LoT63I
j8UAoKgdcZ7trsNrgxh8Pf0q0HHXp7Zc
=KQoO
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>
:
Bug#488919
; Package pcre3
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>
.
(full text, mbox, link).
Message #22 received at 488919@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intent to NMU pcre3 to fix this bug.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/pcre3-7.6-2_7.6-2.1.patch
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[pcre3-7.6-2_7.6-2.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>
:
Bug#488919
; Package pcre3
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>
.
(full text, mbox, link).
Message #27 received at 488919@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I'll send and updated NMU patch to also fix #489318 and
#476925.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>
:
Bug#488919
; Package pcre3
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>
.
(full text, mbox, link).
Message #32 received at 488919@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intent to upload an NMU to fix this.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/pcre3-7.6-2_7.6-2.1.patch
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[pcre3-7.6-2_7.6-2.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Sebastian Dröge <slomo@circular-chaos.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #37 received at 488919-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 7.6-2.1
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive:
libpcre3-dbg_7.6-2.1_amd64.deb
to pool/main/p/pcre3/libpcre3-dbg_7.6-2.1_amd64.deb
libpcre3-dev_7.6-2.1_amd64.deb
to pool/main/p/pcre3/libpcre3-dev_7.6-2.1_amd64.deb
libpcre3-udeb_7.6-2.1_amd64.udeb
to pool/main/p/pcre3/libpcre3-udeb_7.6-2.1_amd64.udeb
libpcre3_7.6-2.1_amd64.deb
to pool/main/p/pcre3/libpcre3_7.6-2.1_amd64.deb
libpcrecpp0_7.6-2.1_amd64.deb
to pool/main/p/pcre3/libpcrecpp0_7.6-2.1_amd64.deb
pcre3_7.6-2.1.diff.gz
to pool/main/p/pcre3/pcre3_7.6-2.1.diff.gz
pcre3_7.6-2.1.dsc
to pool/main/p/pcre3/pcre3_7.6-2.1.dsc
pcregrep_7.6-2.1_amd64.deb
to pool/main/p/pcre3/pcregrep_7.6-2.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 488919@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 14 Jul 2008 19:13:11 +0200
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source amd64
Version: 7.6-2.1
Distribution: unstable
Urgency: high
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Nico Golde <nion@debian.org>
Description:
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Closes: 476925 488919 489318
Changes:
pcre3 (7.6-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix heap overflow in the pcre compiler triggered by
patterns which contain options and multiple branches
(CVE-2008-2371; Closes: #488919).
* debian/rules (patch by Bryan Donlan): Update shlibdeps invocation for
libpcrecpp0 due to new symbols (Closes: #476925).
* debian/copyright: replace license information with the current license
information shipped with upstream sources (Closes: #489318).
Checksums-Sha1:
5c5cf4270443727736bf3ddd5cc52931025d5514 994 pcre3_7.6-2.1.dsc
8fddfe9c9bec7f83dfda4baf1b36908667846c11 17072 pcre3_7.6-2.1.diff.gz
dd0f8331048d98429c66c5f83a82535d616b5135 212562 libpcre3_7.6-2.1_amd64.deb
d09cf6c1dc16b36c577ca4508795dd93936349a2 73824 libpcre3-udeb_7.6-2.1_amd64.udeb
c3a4e3389d9e0a0f976984f3c97b8ae3d051b165 94224 libpcrecpp0_7.6-2.1_amd64.deb
ccce861a6346af941977bdc19aa5b7d2df1952ca 260032 libpcre3-dev_7.6-2.1_amd64.deb
6fa4bceec05774a8529e90bb7cda738be320152e 284498 libpcre3-dbg_7.6-2.1_amd64.deb
ff638063f7a736766ea779d0669d88f22ac4bb71 21538 pcregrep_7.6-2.1_amd64.deb
Checksums-Sha256:
f76ce5d67f3cd52ad009cc7e6bbdf384f3110b97ed13e1ad4d2f40f26dae6b68 994 pcre3_7.6-2.1.dsc
40de0d39048ece19f004faf6a70a9b24afa1a6d4048729b90569a71d0ac54e9d 17072 pcre3_7.6-2.1.diff.gz
8d95d775cd1de0697b30b032f273d7fe5eb6916278f341147470acc0b460badc 212562 libpcre3_7.6-2.1_amd64.deb
82a7c5f50df6c601dec61e1741b2e77ee16f5eda825a3fbeb9e7318aca8a4434 73824 libpcre3-udeb_7.6-2.1_amd64.udeb
ace835a305b12e7e5879d5902a962b16df060138adb437a493bc9407b15c86bd 94224 libpcrecpp0_7.6-2.1_amd64.deb
79870aca180c81a9dff279a77ccc6e2d8d600f0c4aeb241ad70fc735d7590cfc 260032 libpcre3-dev_7.6-2.1_amd64.deb
a407e94b3617e331effc34ec0a0089dab6d63e7cdd79867c616c5b951b8ca038 284498 libpcre3-dbg_7.6-2.1_amd64.deb
efadcfecb01d81b7d8bd33029432102bb32a2227f9ead985940fffae8969135c 21538 pcregrep_7.6-2.1_amd64.deb
Files:
1bb088b5f4640f1de760364cce1aab53 994 libs optional pcre3_7.6-2.1.dsc
d9161feccec8b87f98ffafa288bb0abf 17072 libs optional pcre3_7.6-2.1.diff.gz
b36e448c4465f8ca1d45b434b6349ec6 212562 libs important libpcre3_7.6-2.1_amd64.deb
16d7f718617780a23af4229ca5629a94 73824 debian-installer important libpcre3-udeb_7.6-2.1_amd64.udeb
9a40feb0d434945a0cbf77cff8f52fa3 94224 libs optional libpcrecpp0_7.6-2.1_amd64.deb
1089cb8c710affbb3cb3d0f5e5672171 260032 libdevel optional libpcre3-dev_7.6-2.1_amd64.deb
3dd4e0ca6f1cd74718bb682bbbb34b1a 284498 libdevel optional libpcre3-dbg_7.6-2.1_amd64.deb
1f4f4998971ba01e35c2d3fd160aa021 21538 utils optional pcregrep_7.6-2.1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkh7mXcACgkQHYflSXNkfP9wVwCfbGyzN3BGOGYh/DOWbNKKdB9/
j/MAoJ4iwLWY66bPnCkbTXghxml5i3wU
=/WRC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 13 Aug 2008 07:28:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:57:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.