|
|
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] PCRE library (SSA:2005-242-01)
Date: Tue, 30 Aug 2005 15:53:53 -0700 (PDT) |
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] PCRE library (SSA:2005-242-01)
New PCRE packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
and -current to fix a security issue. A buffer overflow could be triggered
by a specially crafted regular expression. Any applications that use PCRE
to process untrusted regular expressions may be exploited to run arbitrary
code as the user running the application.
The PCRE library is also provided in an initial installation by the
aaa_elflibs package, so if your system has a /usr/lib/libpcre.so.0 symlink,
then you should install this updated package even if the PCRE package itself
is not installed on the system.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/pcre-6.3-i486-1.tgz: Upgraded to pcre-6.3.
This fixes a buffer overflow that could be triggered by the processing of a
specially crafted regular expression. Theoretically this could be a security
issue if regular expressions are accepted from untrusted users to be
processed by a user with greater privileges, but this doesn't seem like a
common scenario (or, for that matter, a good idea). However, if you are
using an application that links to the shared PCRE library and accepts
outside input in such a manner, you will want to update to this new package.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/pcre-6.3-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/pcre-6.3-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/pcre-6.3-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
6d4ea9a84341297ebb86a3d218ee6520 pcre-6.3-i386-1.tgz
Slackware 9.0 package:
539769e82bb6e03db449f4154d557e36 pcre-6.3-i386-1.tgz
Slackware 9.1 package:
bb49c4be6ba9c8ed19d4be7997da065a pcre-6.3-i486-1.tgz
Slackware 10.0 package:
591c6fce5c0084f668bab1ea3ada4ebe pcre-6.3-i486-1.tgz
Slackware 10.1 package:
8f5f604fd35876d397d4e2d4e4fe83a1 pcre-6.3-i486-1.tgz
Slackware -current package:
c699044b38a70720439ace1097e84013 pcre-6.3-i486-1.tgz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg pcre-6.3-i486-1.tgz
Then, restart any applications that use the PCRE library.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFDFNA2akRjwEAQIjMRArN1AJ9ia9JEvPfPd6b0W9XwoFEBE0wbMgCgiSLV
3sPoR3byOBpzI+2YN0ZTeJM=
=f/ti
-----END PGP SIGNATURE-----
|
| |