CVE-2008-2371: heap-based buffer overflow in PCRE

Debian Bug report logs - #488919
CVE-2008-2371: heap-based buffer overflow in PCRE

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sebastian Dröge <slomo@circular-chaos.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2008-2371: heap-based buffer overflow in PCRE

Date: Wed, 02 Jul 2008 06:42:06 +0200

[Message part 1 (text/plain, inline)]

Package: pcre3
Version: 7.6-2
Severity: grave

Hi,
there was a new GLib release yesterday that updates it's internal pcre
version to 7.7 because of a fix for CVE-2008-2371:

> * Update to PCRE 7.7
>  - fix a heap-based buffer overflow in PCRE (CVE-2008-2371)

Please get pcre3 updated soonish, thanks :)

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 488919@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: control@bugs.debian.org

Cc: 488919@bugs.debian.org

Subject: inform about patch

Date: Sat, 5 Jul 2008 12:26:55 +0200

[Message part 1 (text/plain, inline)]

tags 488919 patch
thanks

Hi

You can find a patch here[0], which is already in use by gentoo and will be 
used by debian in updates.

Cheers
Steffen

[0]: http://bugs.gentoo.org/attachment.cgi?id=157449

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 488919-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 488919-close@bugs.debian.org

Subject: Bug#488919: fixed in pcre3 7.4-1+lenny2

Date: Sat, 05 Jul 2008 16:17:03 +0000

Source: pcre3
Source-Version: 7.4-1+lenny2

We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive:

libpcre3-dbg_7.4-1+lenny2_amd64.deb
  to pool/main/p/pcre3/libpcre3-dbg_7.4-1+lenny2_amd64.deb
libpcre3-dev_7.4-1+lenny2_amd64.deb
  to pool/main/p/pcre3/libpcre3-dev_7.4-1+lenny2_amd64.deb
libpcre3-udeb_7.4-1+lenny2_amd64.udeb
  to pool/main/p/pcre3/libpcre3-udeb_7.4-1+lenny2_amd64.udeb
libpcre3_7.4-1+lenny2_amd64.deb
  to pool/main/p/pcre3/libpcre3_7.4-1+lenny2_amd64.deb
libpcrecpp0_7.4-1+lenny2_amd64.deb
  to pool/main/p/pcre3/libpcrecpp0_7.4-1+lenny2_amd64.deb
pcre3_7.4-1+lenny2.diff.gz
  to pool/main/p/pcre3/pcre3_7.4-1+lenny2.diff.gz
pcre3_7.4-1+lenny2.dsc
  to pool/main/p/pcre3/pcre3_7.4-1+lenny2.dsc
pcregrep_7.4-1+lenny2_amd64.deb
  to pool/main/p/pcre3/pcregrep_7.4-1+lenny2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 488919@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated pcre3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 05 Jul 2008 12:58:48 +0200
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source amd64
Version: 7.4-1+lenny2
Distribution: testing-security
Urgency: high
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libpcre3   - Perl 5 Compatible Regular Expression Library - runtime files
 libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
 libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
 libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
 libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
 pcregrep   - grep utility that uses perl 5 compatible regexes.
Closes: 488919
Changes: 
 pcre3 (7.4-1+lenny2) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issue:
     - CVE-2008-2371: heap overflow in the pcre compiler triggered by
       patterns which contain options and multiple branches (Closes: #488919).
Checksums-Sha1: 
 5e07e35a76bfedbc417488218332fa7dd218f0d5 1014 pcre3_7.4-1+lenny2.dsc
 c0c94299107443477077669165fc0b6b0a63ed45 24787 pcre3_7.4-1+lenny2.diff.gz
 69ffd0072502b49989a9554f1136b493b37c4cb7 208134 libpcre3_7.4-1+lenny2_amd64.deb
 b740b43db13177738b838dbcd7b7e6d130076d42 73358 libpcre3-udeb_7.4-1+lenny2_amd64.udeb
 cdb0940bc569054c5b98159bee577b7585b1cc41 90446 libpcrecpp0_7.4-1+lenny2_amd64.deb
 ec704820d006ca14306ae3ceabb3e51d196545d1 252480 libpcre3-dev_7.4-1+lenny2_amd64.deb
 908dec2cb864f328cec82d7462e16bbf9fa6ab5a 280292 libpcre3-dbg_7.4-1+lenny2_amd64.deb
 58e38e90f6324472858d5c352e65276ba320ca67 20400 pcregrep_7.4-1+lenny2_amd64.deb
Checksums-Sha256: 
 7c8d58dcb5c615d33a8c78203479cbf79ae33d868e68745fd2e52c9b916757af 1014 pcre3_7.4-1+lenny2.dsc
 8a2da1da4152b82082396ae8a58ec8b134b3f785971244f553d3b653a984b3ab 24787 pcre3_7.4-1+lenny2.diff.gz
 4d5b70a7ec78585d685c8f2d5f795c7a9952bd16a26bfed1f13dc0941882f2f5 208134 libpcre3_7.4-1+lenny2_amd64.deb
 d890124d6abfd6afac77eb82aaaafbde2447642d71a0883c7fb9440e17273d87 73358 libpcre3-udeb_7.4-1+lenny2_amd64.udeb
 f5c2c61a8b78b0738921f8694298310c7b96adcc4d0fdfb941bea2c8bf3c222c 90446 libpcrecpp0_7.4-1+lenny2_amd64.deb
 2dc854f2c964320dd0426290bd0f99167b57c04f7c95476cfd56deacffd34896 252480 libpcre3-dev_7.4-1+lenny2_amd64.deb
 c56aa0c290256c2ee5a65a052835cddcffaac5c22dfaf8110a451da46ffa025b 280292 libpcre3-dbg_7.4-1+lenny2_amd64.deb
 c102d0d9c8e0755832f7a6f3ad8030ac89305d615a702c40f7a8634a80405fd1 20400 pcregrep_7.4-1+lenny2_amd64.deb
Files: 
 6930af03bb3d8d22691d6bc07380bf22 1014 libs optional pcre3_7.4-1+lenny2.dsc
 d5d38a4a522274b64bd45315ce3878a4 24787 libs optional pcre3_7.4-1+lenny2.diff.gz
 b4311424fe2dac815b79452218fbca0a 208134 libs important libpcre3_7.4-1+lenny2_amd64.deb
 6990dd5ec89314dc79270a9e5afcf60c 73358 debian-installer important libpcre3-udeb_7.4-1+lenny2_amd64.udeb
 9b1d14d969b664c17cbcc756a75cddd3 90446 libs optional libpcrecpp0_7.4-1+lenny2_amd64.deb
 9bc9f1286c3f8f507c409711407ba596 252480 libdevel optional libpcre3-dev_7.4-1+lenny2_amd64.deb
 34ba96ab310560276b4cab9b4ffe64d1 280292 libdevel optional libpcre3-dbg_7.4-1+lenny2_amd64.deb
 b8a03b70769a3e3763008f590026022d 20400 utils optional pcregrep_7.4-1+lenny2_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhvXVAACgkQHYflSXNkfP+zzACgniuiCbb6mVrERCYia8LoT63I
j8UAoKgdcZ7trsNrgxh8Pf0q0HHXp7Zc
=KQoO
-----END PGP SIGNATURE-----

Message #22 received at 488919@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 488919@bugs.debian.org

Subject: intent to NMU

Date: Mon, 14 Jul 2008 19:23:12 +0200

[Message part 1 (text/plain, inline)]

Hi,
I intent to NMU pcre3 to fix this bug.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/pcre3-7.6-2_7.6-2.1.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[pcre3-7.6-2_7.6-2.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #27 received at 488919@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 488919@bugs.debian.org

Subject: updated NMU patch

Date: Mon, 14 Jul 2008 19:54:26 +0200

[Message part 1 (text/plain, inline)]

Hi,
I'll send and updated NMU patch to also fix #489318 and 
#476925.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 488919@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 488919@bugs.debian.org, 476925@bugs.debian.org, 489318@bugs.debian.org

Subject: intent to NMU

Date: Mon, 14 Jul 2008 20:22:40 +0200

[Message part 1 (text/plain, inline)]

Hi,
I intent to upload an NMU to fix this.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/pcre3-7.6-2_7.6-2.1.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[pcre3-7.6-2_7.6-2.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #37 received at 488919-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 488919-close@bugs.debian.org

Subject: Bug#488919: fixed in pcre3 7.6-2.1

Date: Mon, 14 Jul 2008 18:47:07 +0000

Source: pcre3
Source-Version: 7.6-2.1

We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive:

libpcre3-dbg_7.6-2.1_amd64.deb
  to pool/main/p/pcre3/libpcre3-dbg_7.6-2.1_amd64.deb
libpcre3-dev_7.6-2.1_amd64.deb
  to pool/main/p/pcre3/libpcre3-dev_7.6-2.1_amd64.deb
libpcre3-udeb_7.6-2.1_amd64.udeb
  to pool/main/p/pcre3/libpcre3-udeb_7.6-2.1_amd64.udeb
libpcre3_7.6-2.1_amd64.deb
  to pool/main/p/pcre3/libpcre3_7.6-2.1_amd64.deb
libpcrecpp0_7.6-2.1_amd64.deb
  to pool/main/p/pcre3/libpcrecpp0_7.6-2.1_amd64.deb
pcre3_7.6-2.1.diff.gz
  to pool/main/p/pcre3/pcre3_7.6-2.1.diff.gz
pcre3_7.6-2.1.dsc
  to pool/main/p/pcre3/pcre3_7.6-2.1.dsc
pcregrep_7.6-2.1_amd64.deb
  to pool/main/p/pcre3/pcregrep_7.6-2.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 488919@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated pcre3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Jul 2008 19:13:11 +0200
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source amd64
Version: 7.6-2.1
Distribution: unstable
Urgency: high
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libpcre3   - Perl 5 Compatible Regular Expression Library - runtime files
 libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
 libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
 libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
 libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
 pcregrep   - grep utility that uses perl 5 compatible regexes.
Closes: 476925 488919 489318
Changes: 
 pcre3 (7.6-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix heap overflow in the pcre compiler triggered by
     patterns which contain options and multiple branches
     (CVE-2008-2371; Closes: #488919).
   * debian/rules (patch by Bryan Donlan): Update shlibdeps invocation for
     libpcrecpp0 due to new symbols (Closes: #476925).
   * debian/copyright: replace license information with the current license
     information shipped with upstream sources (Closes: #489318).
Checksums-Sha1: 
 5c5cf4270443727736bf3ddd5cc52931025d5514 994 pcre3_7.6-2.1.dsc
 8fddfe9c9bec7f83dfda4baf1b36908667846c11 17072 pcre3_7.6-2.1.diff.gz
 dd0f8331048d98429c66c5f83a82535d616b5135 212562 libpcre3_7.6-2.1_amd64.deb
 d09cf6c1dc16b36c577ca4508795dd93936349a2 73824 libpcre3-udeb_7.6-2.1_amd64.udeb
 c3a4e3389d9e0a0f976984f3c97b8ae3d051b165 94224 libpcrecpp0_7.6-2.1_amd64.deb
 ccce861a6346af941977bdc19aa5b7d2df1952ca 260032 libpcre3-dev_7.6-2.1_amd64.deb
 6fa4bceec05774a8529e90bb7cda738be320152e 284498 libpcre3-dbg_7.6-2.1_amd64.deb
 ff638063f7a736766ea779d0669d88f22ac4bb71 21538 pcregrep_7.6-2.1_amd64.deb
Checksums-Sha256: 
 f76ce5d67f3cd52ad009cc7e6bbdf384f3110b97ed13e1ad4d2f40f26dae6b68 994 pcre3_7.6-2.1.dsc
 40de0d39048ece19f004faf6a70a9b24afa1a6d4048729b90569a71d0ac54e9d 17072 pcre3_7.6-2.1.diff.gz
 8d95d775cd1de0697b30b032f273d7fe5eb6916278f341147470acc0b460badc 212562 libpcre3_7.6-2.1_amd64.deb
 82a7c5f50df6c601dec61e1741b2e77ee16f5eda825a3fbeb9e7318aca8a4434 73824 libpcre3-udeb_7.6-2.1_amd64.udeb
 ace835a305b12e7e5879d5902a962b16df060138adb437a493bc9407b15c86bd 94224 libpcrecpp0_7.6-2.1_amd64.deb
 79870aca180c81a9dff279a77ccc6e2d8d600f0c4aeb241ad70fc735d7590cfc 260032 libpcre3-dev_7.6-2.1_amd64.deb
 a407e94b3617e331effc34ec0a0089dab6d63e7cdd79867c616c5b951b8ca038 284498 libpcre3-dbg_7.6-2.1_amd64.deb
 efadcfecb01d81b7d8bd33029432102bb32a2227f9ead985940fffae8969135c 21538 pcregrep_7.6-2.1_amd64.deb
Files: 
 1bb088b5f4640f1de760364cce1aab53 994 libs optional pcre3_7.6-2.1.dsc
 d9161feccec8b87f98ffafa288bb0abf 17072 libs optional pcre3_7.6-2.1.diff.gz
 b36e448c4465f8ca1d45b434b6349ec6 212562 libs important libpcre3_7.6-2.1_amd64.deb
 16d7f718617780a23af4229ca5629a94 73824 debian-installer important libpcre3-udeb_7.6-2.1_amd64.udeb
 9a40feb0d434945a0cbf77cff8f52fa3 94224 libs optional libpcrecpp0_7.6-2.1_amd64.deb
 1089cb8c710affbb3cb3d0f5e5672171 260032 libdevel optional libpcre3-dev_7.6-2.1_amd64.deb
 3dd4e0ca6f1cd74718bb682bbbb34b1a 284498 libdevel optional libpcre3-dbg_7.6-2.1_amd64.deb
 1f4f4998971ba01e35c2d3fd160aa021 21538 utils optional pcregrep_7.6-2.1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkh7mXcACgkQHYflSXNkfP9wVwCfbGyzN3BGOGYh/DOWbNKKdB9/
j/MAoJ4iwLWY66bPnCkbTXghxml5i3wU
=/WRC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.