From martin.pitt@canonical.com Tue Aug 23 12:03:15 2005 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Date: Tue, 23 Aug 2005 17:57:13 +0200 Subject: [Full-disclosure] [USN-173-1] PCRE vulnerability =========================================================== Ubuntu Security Notice USN-173-1 August 23, 2005 pcre3 vulnerability CAN-2005-2491 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: libpcre3 The problem can be corrected by upgrading the affected package to version 4.5-1.1ubuntu0.4.10 (for Ubuntu 4.10), or 4.5-1.1ubuntu0.5.04 (for Ubuntu 5.04). A standard system upgrade is NOT SUFFICIENT to effect the necessary changes! If you can afford to reboot your machine, this is the easiest way to ensure that all services using this library are restarted correctly. If not, please manually restart all server processes (exim, Apache, PHP, etc.). It is advised to also restart your desktop session. Details follow: A buffer overflow has been discovered in the PCRE, a widely used library that provides Perl compatible regular expressions. Specially crafted regular expressions triggered a buffer overflow. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.4.10.diff.gz Size/MD5: 183474 72d65636bfd4af6836fc8472f1fe3c78 http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.4.10.dsc Size/MD5: 607 8846bc461afedca938a709ead2891fcd http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5.orig.tar.gz Size/MD5: 476057 a58971177114a3b7a5da0e5a89a43c96 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pgrep_4.5-1.1ubuntu0.4.10_all.deb Size/MD5: 774 52a52c15ff0ab0928dfb47080f40a5f0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10_amd64.deb Size/MD5: 106736 62013edb6bc2ca7ae96d3739aac0e84b http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10_amd64.deb Size/MD5: 106922 ea42ff8f246928c0998c5f35155fba21 http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10_amd64.deb Size/MD5: 9160 d801a4aec0c0591c8087ee3c80d83466 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10_i386.deb Size/MD5: 105130 63b585816a99b0fa1a7696fabee272e5 http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10_i386.deb Size/MD5: 106736 37c7df39e6bfac99fd5d82525836d0b2 http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10_i386.deb Size/MD5: 8446 2cef77c4bfe564260e60dbcc429df54b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10_powerpc.deb Size/MD5: 111116 67a137cc04696da087beaf665e9a7e4e http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10_powerpc.deb Size/MD5: 109812 7c687f390b65d20143cafa73fb4fc5ab http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10_powerpc.deb Size/MD5: 10680 c88971b34f540193e28019d7801c768c Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.5.04.diff.gz Size/MD5: 183473 dbc61833e0c2e671c9d5316551640e20 http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.5.04.dsc Size/MD5: 607 9556aec130df9a17c835293a4b569f53 http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5.orig.tar.gz Size/MD5: 476057 a58971177114a3b7a5da0e5a89a43c96 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pgrep_4.5-1.1ubuntu0.5.04_all.deb Size/MD5: 776 e28108b81e46c153e9d13cb142a0ee55 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04_amd64.deb Size/MD5: 106726 1cd55307ab68b857a30a9d914a6b0f34 http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04_amd64.deb Size/MD5: 106956 a0b218c184b61f087674603fb76977ec http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04_amd64.deb Size/MD5: 9168 07caef2f35532ff156adc7ad9980712b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04_i386.deb Size/MD5: 105150 e93cb7c4fd77b1f61b56aa6bd606fb0c http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04_i386.deb Size/MD5: 106674 0b590cd8855d69ae39f5fde1f2afda2e http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04_i386.deb Size/MD5: 8402 19f13b0338fc508f29bcb4fbd7004281 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04_powerpc.deb Size/MD5: 111110 3f9152da5f123399c2b9c0e9c33a94c5 http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04_powerpc.deb Size/MD5: 109862 2c5aa546b1e3c69473443e341d661c15 http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04_powerpc.deb Size/MD5: 10666 5d460aa1007800c2be8d88be03f9b0d9 [ Part 1.2, "Digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/