From marcdeslauriers@videotron.ca Tue Mar 7 18:37:26 2006 From: Marc Deslauriers To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Date: Tue, 07 Mar 2006 18:37:55 -0500 Subject: [Full-disclosure] [FLSA-2006:168516] Updated pcre packages fix a security issue --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated pcre packages fix a security issue Advisory ID: FLSA:168516 Issue date: 2006-03-07 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2491 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated pcre packages are now available to correct a security issue. PCRE is a Perl-compatible regular expression library. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: An integer overflow flaw was found in PCRE, triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2491 to this issue. Users should update to these erratum packages that contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168516 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/pcre-3.9-2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/pcre-3.9-2.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/pcre-devel-3.9-2.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/pcre-3.9-10.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/pcre-3.9-10.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/pcre-devel-3.9-10.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/pcre-4.4-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/pcre-4.4-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/pcre-devel-4.4-1.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/pcre-4.5-2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/pcre-4.5-2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/pcre-devel-4.5-2.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 9b641aa989639c706065bafc146d34bb6e282a22 redhat/7.3/updates/i386/pcre-3.9-2.1.legacy.i386.rpm 7d8b094083c7a85991d194d6741a0a664204a19d redhat/7.3/updates/i386/pcre-devel-3.9-2.1.legacy.i386.rpm 9a49145385042483532254fb5d05fae6c3f252f3 redhat/7.3/updates/SRPMS/pcre-3.9-2.1.legacy.src.rpm d876a7f4cdb3a936b2f72fb629fae928d3db6e96 redhat/9/updates/i386/pcre-3.9-10.1.legacy.i386.rpm 9e516b5e44944b25a47171b15c0229423b10f99d redhat/9/updates/i386/pcre-devel-3.9-10.1.legacy.i386.rpm 55de51292b97aacbad6c375b4ad8578561ac5fe3 redhat/9/updates/SRPMS/pcre-3.9-10.1.legacy.src.rpm 4edc206f1e0fc0c3df459b6f8de289f27417974b fedora/1/updates/i386/pcre-4.4-1.2.legacy.i386.rpm 0fcc5801dc238bb1fac0d59b8403e6cdcc72f126 fedora/1/updates/i386/pcre-devel-4.4-1.2.legacy.i386.rpm 57b3a2c5c2bb3435d3c7971daf29c665fb2c1687 fedora/1/updates/SRPMS/pcre-4.4-1.2.legacy.src.rpm bff4b330e8c9a76262020c7ddb2b48f71bf01788 fedora/2/updates/i386/pcre-4.5-2.2.legacy.i386.rpm 8354926500e18905dd94dddc1e6bf44cd236df68 fedora/2/updates/i386/pcre-devel-4.5-2.2.legacy.i386.rpm 9f43e7d484412d93734dfe4b08f87d2ef133100a fedora/2/updates/SRPMS/pcre-4.5-2.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2491 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- [ Part 1.2, "OpenPGP digital signature" Application/PGP-SIGNATURE ] [ 198bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/