pcre3: CAN-2005-2491
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pcre3 (Debian) |
Fix Released
|
Unknown
|
|||
pcre3 (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #324531 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-Id: <email address hidden>
Date: Mon, 22 Aug 2005 18:15:53 +0200
From: Adrian Bunk <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: pcre3: CAN-2005-2491
Package: pcre3
Severity: critical
Tags: security, woody, sarge, etch, sid
It should be checked which of the versions in unstable/testing,
stable and oldstable might be affected by CAN-2005-2491
(PCRE Heap Overflow May Let Users Execute Arbitrary Code).
In Debian Bug tracker #324531, Sven Mueller (debian-incase) wrote : pcre3: Version in stable (4.5-1.2) affected, patch attached | #3 |
Package: pcre3
Followup-For: Bug #324531
Patch extracted from difference between upstream versions 6.0 and 6.1,
modified to patch version 4.5. Patch is attached.
Regards,
Sven
-- System Information:
Debian Release: 3.1
APT prefers experimental
APT policy: (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=
In Debian Bug tracker #324531, Sven Mueller (debian-incase) wrote : pcre3: testing, unstable also effected | #4 |
Package: pcre3
Followup-For: Bug #324531
Same patch as in my previous mail also works for 5.0-1.1
Regards,
Sven
-- System Information:
Debian Release: 3.1
APT prefers experimental
APT policy: (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=
In Debian Bug tracker #324531, Sven Mueller (debian-incase) wrote : Found PCRE bugs in versions 4.5-1.2 and 5.0-1.1 | #5 |
Package: pcre3
Found 324531 4.5-1.2
Found 324531 5.0-1.1
Thanks
In Debian Bug tracker #324531, Sven Mueller (sm-ciphirelabs) wrote : Additional note: unstable seems unaffected | #6 |
Hi.
The code used to actually parse regular expressions seems to be
completely different in pcre3-3.4-1.1 (version in oldstable), so it is
likely oldstable is not affected by this bug. But I can't tell for sure.
At the very least the fix will definately need to be modified, something
I won't be able to do in a timely manner.
Regards,
Sven
--
"Writing a book is like washing an elephant: there's no good
place to begin or end, and it's hard to keep track of what
you've already covered." -- Anonymous
--
-------
To: <email address hidden>.
For your security, <email address hidden>
digitally signed this message on 22 August 2005 at 19:29:15 UTC.
Verify this digital signature at http://
------------------- [ CIPHIRE DIGITAL SIGNATURE ] -------------------
Q2lwaGlyZSBTaWc
mNvbQBlbWFpbCBi
u7SGhY8TUyOasP5
KTcvFvXP3opHtvK
-------
Debian Bug Importer (debzilla) wrote : | #7 |
Message-Id: <email address hidden>
Date: Mon, 22 Aug 2005 20:11:51 +0200
From: Sven Mueller <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: pcre3: Version in stable (4.5-1.2) affected, patch attached
--=====
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-
Content-
Package: pcre3
Followup-For: Bug #324531
Patch extracted from difference between upstream versions 6.0 and 6.1,
modified to patch version 4.5. Patch is attached.
Regards,
Sven
-- System Information:
Debian Release: 3.1
APT prefers experimental
APT policy: (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=
--=====
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-
Content-
--- pcre.c 2003-12-10 17:45:44.000000000 +0100
+++ ../pcre.c 2005-08-22 19:49:14.673426894 +0200
@@ -4755,6 +4755,7 @@
set = unset = 0; /* To save length */
+ length +=2; /* avoid CAN-2005-2491 */
}
/* Fall through */
--=====
Debian Bug Importer (debzilla) wrote : | #8 |
Message-Id: <email address hidden>
Date: Mon, 22 Aug 2005 20:14:42 +0200
From: Sven Mueller <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: pcre3: testing, unstable also effected
Package: pcre3
Followup-For: Bug #324531
Same patch as in my previous mail also works for 5.0-1.1
Regards,
Sven
-- System Information:
Debian Release: 3.1
APT prefers experimental
APT policy: (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=
Debian Bug Importer (debzilla) wrote : | #9 |
Message-Id: <email address hidden>
Date: Mon, 22 Aug 2005 20:26:22 +0200 (CEST)
From: Sven Mueller <email address hidden>
To: BTS <email address hidden>
Subject: Found PCRE bugs in versions 4.5-1.2 and 5.0-1.1
Package: pcre3
Found 324531 4.5-1.2
Found 324531 5.0-1.1
Thanks
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 21:29:13 +0200
From: Sven Mueller <email address hidden>
To: <email address hidden>
Subject: Additional note: unstable seems unaffected
Hi.
The code used to actually parse regular expressions seems to be
completely different in pcre3-3.4-1.1 (version in oldstable), so it is
likely oldstable is not affected by this bug. But I can't tell for sure.
At the very least the fix will definately need to be modified, something
I won't be able to do in a timely manner.
Regards,
Sven
--
"Writing a book is like washing an elephant: there's no good
place to begin or end, and it's hard to keep track of what
you've already covered." -- Anonymous
--
-------
To: <email address hidden>.
For your security, <email address hidden>
digitally signed this message on 22 August 2005 at 19:29:15 UTC.
Verify this digital signature at http://
------------------- [ CIPHIRE DIGITAL SIGNATURE ] -------------------
Q2lwaGlyZSBTaWc
mNvbQBlbWFpbCBi
u7SGhY8TUyOasP5
KTcvFvXP3opHtvK
-------
In Debian Bug tracker #324531, Mark Baker (mark-p4-7014) wrote : Re: Bug#324531: pcre3: CAN-2005-2491 | #11 |
On Mon, Aug 22, 2005 at 06:15:53PM +0200, Adrian Bunk wrote:
> It should be checked which of the versions in unstable/testing,
> stable and oldstable might be affected by CAN-2005-2491
> (PCRE Heap Overflow May Let Users Execute Arbitrary Code).
I'm away on business until wednesday night; if anything needs doing
urgently it would be good if someone else could deal with it.
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 21:52:41 +0100
From: Mark Baker <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
On Mon, Aug 22, 2005 at 06:15:53PM +0200, Adrian Bunk wrote:
> It should be checked which of the versions in unstable/testing,
> stable and oldstable might be affected by CAN-2005-2491
> (PCRE Heap Overflow May Let Users Execute Arbitrary Code).
I'm away on business until wednesday night; if anything needs doing
urgently it would be good if someone else could deal with it.
In Debian Bug tracker #324531, Joey Hess (joeyh) wrote : | #13 |
Adrian Bunk wrote:
> It should be checked which of the versions in unstable/testing,
> stable and oldstable might be affected by CAN-2005-2491
> (PCRE Heap Overflow May Let Users Execute Arbitrary Code).
Which is unfortunatly still marked as "reserved" in the CVE db, so I
don't have any more info about it. URL?
--
see shy jo
In Debian Bug tracker #324531, Adrian Bunk (bunk) wrote : | #14 |
On Mon, Aug 22, 2005 at 07:43:53PM -0400, Joey Hess wrote:
> Adrian Bunk wrote:
> > It should be checked which of the versions in unstable/testing,
> > stable and oldstable might be affected by CAN-2005-2491
> > (PCRE Heap Overflow May Let Users Execute Arbitrary Code).
>
> Which is unfortunatly still marked as "reserved" in the CVE db, so I
> don't have any more info about it. URL?
http://
> see shy jo
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 19:43:53 -0400
From: Joey Hess <email address hidden>
To: Adrian Bunk <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Adrian Bunk wrote:
> It should be checked which of the versions in unstable/testing,
> stable and oldstable might be affected by CAN-2005-2491
> (PCRE Heap Overflow May Let Users Execute Arbitrary Code).
Which is unfortunatly still marked as "reserved" in the CVE db, so I
don't have any more info about it. URL?
--=20
see shy jo
--XsQoSWH+UP9D9v3l
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDCmM5d8H
1LYr4MajKi7Osit
=HeaE
-----END PGP SIGNATURE-----
--XsQoSWH+
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Tue, 23 Aug 2005 02:54:40 +0200
From: Adrian Bunk <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
On Mon, Aug 22, 2005 at 07:43:53PM -0400, Joey Hess wrote:
> Adrian Bunk wrote:
> > It should be checked which of the versions in unstable/testing,
> > stable and oldstable might be affected by CAN-2005-2491
> > (PCRE Heap Overflow May Let Users Execute Arbitrary Code).
>
> Which is unfortunatly still marked as "reserved" in the CVE db, so I
> don't have any more info about it. URL?
http://
> see shy jo
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Martin Pitt (pitti) wrote : | #17 |
pcre3 (5.0-1.1ubuntu1) breezy; urgency=low
.
* SECURITY UPDATE: Fix arbitrary code execution with specially crafted
regexps.
* pcre.c: Apply upstream patch to fix length calculation if ')' appears as
the first item in the regexp.
* References:
CAN-2005-2491
http://
Fix pending for stables.
In Debian Bug tracker #324531, Sven Mueller (sven-incase) wrote : | #18 |
Joey Hess wrote on 23/08/2005 01:43:
> Adrian Bunk wrote:
>
>>It should be checked which of the versions in unstable/testing,
>>stable and oldstable might be affected by CAN-2005-2491
>>(PCRE Heap Overflow May Let Users Execute Arbitrary Code).
>
>
> Which is unfortunatly still marked as "reserved" in the CVE db, so I
> don't have any more info about it. URL?
>
Martin Pitt (pitti) wrote : | #19 |
stables fixed in USN-173-1.
In Debian Bug tracker #324531, Stefan Fritsch (sf-sfritsch) wrote : | #20 |
Hi,
> Patch extracted from difference between upstream versions 6.0 and
> 6.1, modified to patch version 4.5. Patch is attached.
While the issue corresponding to your patch should be fixed as well,
this is not the patch for CAN-2005-2491. The securitytracker page
states that 6.1 and prior versions are vulnerable. One needs to look
at the differences between 6.1 and 6.2. The relevant changes are a
bit larger.
Cheers,
Stefan
In Debian Bug tracker #324531, Martin Pitt (pitti) wrote : pcre3: patch for CAN-2005-2491 | #21 |
Hi!
Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
http://
Thanks,
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In Debian Bug tracker #324531, Sven Mueller (debian-incase) wrote : Re: Bug#324531: pcre3: CAN-2005-2491 | #22 |
Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.
You are right. I was confused because the pcre homepage still says 6.1
is the latest version. Working on the real fix now.
cu,
sven
In Debian Bug tracker #324531, Sven Mueller (debian-incase) wrote : | #23 |
Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.
Alright, this time I attach the correct patches (only source patches, no
debian changelog entry) for all three versions of libpcre3 currently in
the archive (3.4, 4.5, 5.0), attached. I could prepare a NMU, but as I
am no DD, I would need a sponsor for that (plus I don't really know how
to do the security-NMU to stable/oldstable anyhow - yet).
cu,
sven
In Debian Bug tracker #324531, Martin Pitt (pitti) wrote : PCRE3: CAN-2005-2491 for oldstable | #24 |
Hi!
Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
embedded pcre 3.x, I also took a look at the woody version. I took a
look at the code and played with the test suite, and it seems to me
that the capture part works ok; just the integer underflow must be
fixed:
--- pcre.c
+++ pcre.c
@@ -733,7 +733,7 @@
/* Do paranoid checks, then fill in the required variables, and pass back the
pointer to the terminating '}'. */
-if (min > 65535 || max > 65535)
+if (min < 0 || min > 65535 || max < 0 || max > 65535)
*errorptr = ERR5;
else
{
However, it would be nice to have a second pair of eyes to confirm
that this version is not vulnerable to the capturing overflow.
Thanks,
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In Debian Bug tracker #324531, Sven Mueller (sven-incase) wrote : Re: Bug#324531: pcre3: patch for CAN-2005-2491 | #25 |
Package pcre3
Tags 324531 +patch
thanks
Martin Pitt wrote on 24/08/2005 14:12:
> Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
>
> http://
Hmm, didn't get that the capturing fix is also needed. But your are
right there.
Attached are the patches which also include that capture-related fix
(4.5 and 5.0. The patch to 3.4 doesn't include anything to that part,
since it doesn't seem vulnerable to the capturing problem (and uses a
different approach to capturing anyway).
I also didn't include the patches made to the testing suite of the
package, since they by themself are not part of the security problem.
All three packages compile fine after the patches were applied.
Functionality also seems to be fine.
regards,
Sven
In Debian Bug tracker #324531, Sven Mueller (debian-incase) wrote : Bug#324531 also found in oldstable | #26 |
Package pcre3
found 324531 3.4-1.1
thanks
In Debian Bug tracker #324531, Martin Schulze (joey-infodrom) wrote : Re: pcre3: patch for CAN-2005-2491 | #27 |
Martin Pitt wrote:
> Hi!
>
> Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
>
> http://
Patch originally sent by Marcus Meissner from SuSE.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #324531, Martin Schulze (joey-infodrom) wrote : Re: PCRE3: CAN-2005-2491 for oldstable | #28 |
Martin Pitt wrote:
> Hi!
>
> Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
> embedded pcre 3.x, I also took a look at the woody version. I took a
> look at the code and played with the test suite, and it seems to me
> that the capture part works ok; just the integer underflow must be
> fixed:
>
> --- pcre.c
> +++ pcre.c
> @@ -733,7 +733,7 @@
> /* Do paranoid checks, then fill in the required variables, and pass back the
> pointer to the terminating '}'. */
>
> -if (min > 65535 || max > 65535)
> +if (min < 0 || min > 65535 || max < 0 || max > 65535)
> *errorptr = ERR5;
> else
> {
>
> However, it would be nice to have a second pair of eyes to confirm
> that this version is not vulnerable to the capturing overflow.
Confirmed. Named subpatterns are not available in the 3.* version,
so they don't need to be fixed.
Regards,
Joey
--
It's time to close the windows.
In Debian Bug tracker #324531, Florian Weimer (fw) wrote : Re: Bug#324531: pcre3: CAN-2005-2491 | #29 |
* Sven Mueller:
> +/* Read the minimum value and do a paranoid check: a negative value indicates
> +an integer overflow. */
> +
> while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
> +if (min < 0 || min > 65535)
This doesn't work. Signed integer overflow is undefined. Future GCC
version are likely to detect that the "min < 0" test is superfluous as
a result, and will optimize it away.
In Debian Bug tracker #324531, Mark Baker (mark-mnb) wrote : Bug#324531: fixed in pcre3 6.3-1 | #30 |
Source: pcre3
Source-Version: 6.3-1
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive:
libpcre3-
to pool/main/
libpcre3_
to pool/main/
pcre3_6.3-1.diff.gz
to pool/main/
pcre3_6.3-1.dsc
to pool/main/
pcre3_6.
to pool/main/
pcregrep_
to pool/main/
pgrep_6.3-1_all.deb
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Baker <email address hidden> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 27 Aug 2005 18:12:22 +0100
Source: pcre3
Binary: pcregrep libpcre3 pgrep libpcre3-dev
Architecture: source all i386
Version: 6.3-1
Distribution: unstable
Urgency: low
Maintainer: Mark Baker <email address hidden>
Changed-By: Mark Baker <email address hidden>
Description:
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
pcregrep - grep utility that uses perl 5 compatible regexes.
pgrep - Dummy package for transition to pcregrep
Closes: 309606 323761 324531
Changes:
pcre3 (6.3-1) unstable; urgency=low
.
* New upstream release (Closes: 323761).
* This includes fix to security issue CAN-2005-2491 (Closes: 324531)
.
pcre3 (5.0-1.1) unstable; urgency=low
.
* Non-maintainer upload.
* Correct an alignment error in the pcretest.c test case, which was
causing build failures on ia64 (closes: #309606).
Files:
91f444f5eba58b
6a2934e0cce165
9d837723421e35
07acbabbd4b230
2aae0dc35274f2
70788faf301fb3
f31e373cb54446
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDEKNjLk+
a6cdR3p7Kv8J4oI
=eNym
-----END PGP SIGNATURE-----
In Debian Bug tracker #324531, Daniel Tiefnig (dantie) wrote : | #31 |
Hej,
so how about libpcre in sarge? It's also affected, isn't it? The upload
to unstable won't fix that. Has the security team been contacted?
lg,
daniel
In Debian Bug tracker #324531, Daniel Tiefnig (dantie) wrote : | #32 |
Daniel Tiefnig wrote:
> so how about libpcre in sarge?
Duh, here it is now:
http://
Thanks for catching this bug!
daniel
Debian Bug Importer (debzilla) wrote : | #33 |
Message-ID: <email address hidden>
Date: Tue, 23 Aug 2005 12:39:51 +0200
From: Sven Mueller <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
CC: Adrian Bunk <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
Joey Hess wrote on 23/08/2005 01:43:
> Adrian Bunk wrote:
>
>>It should be checked which of the versions in unstable/testing,
>>stable and oldstable might be affected by CAN-2005-2491
>>(PCRE Heap Overflow May Let Users Execute Arbitrary Code).
>
>
> Which is unfortunatly still marked as "reserved" in the CVE db, so I
> don't have any more info about it. URL?
>
Debian Bug Importer (debzilla) wrote : | #34 |
Message-Id: <email address hidden>
Date: Tue, 23 Aug 2005 23:15:04 +0200
From: Stefan Fritsch <email address hidden>
To: <email address hidden>,
Sven Mueller <email address hidden>
Subject: pcre3: CAN-2005-2491
Hi,
> Patch extracted from difference between upstream versions 6.0 and
> 6.1, modified to patch version 4.5. Patch is attached.
While the issue corresponding to your patch should be fixed as well,
this is not the patch for CAN-2005-2491. The securitytracker page
states that 6.1 and prior versions are vulnerable. One needs to look
at the differences between 6.1 and 6.2. The relevant changes are a
bit larger.
Cheers,
Stefan
Debian Bug Importer (debzilla) wrote : | #35 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 14:12:40 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: pcre3: patch for CAN-2005-2491
--r5Pyd7+fXNt84Ff3
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
http://
Thanks,
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
--r5Pyd7+fXNt84Ff3
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDDGQ4Dec
g67IQX55awrDDoQ
=P/RH
-----END PGP SIGNATURE-----
--r5Pyd7+
Debian Bug Importer (debzilla) wrote : | #36 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 14:52:41 +0200
From: Sven Mueller <email address hidden>
To: Stefan Fritsch <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
-------
Content-Type: text/plain; charset=ISO-8859-1
Content-
Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.
You are right. I was confused because the pcre homepage still says 6.1
is the latest version. Working on the real fix now.
cu,
sven
-------
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)
iD8DBQFDDG2dDcs
DcHJfPZhrJmMCRO
=GMZJ
-----END PGP SIGNATURE-----
-------
Debian Bug Importer (debzilla) wrote : | #37 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:20:46 +0200
From: Sven Mueller <email address hidden>
To: Stefan Fritsch <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
-------
Content-Type: multipart/mixed;
boundary=
This is a multi-part message in MIME format.
-------
Content-Type: text/plain; charset=ISO-8859-1
Content-
Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.
Alright, this time I attach the correct patches (only source patches, no
debian changelog entry) for all three versions of libpcre3 currently in
the archive (3.4, 4.5, 5.0), attached. I could prepare a NMU, but as I
am no DD, I would need a sponsor for that (plus I don't really know how
to do the security-NMU to stable/oldstable anyhow - yet).
cu,
sven
-------
Content-Type: text/plain;
name="
Content-
Content-
filename=
diff -ur pcre3-4.
--- pcre3-4.
+++ pcre3-4.5/pcre.c 2005-08-24 15:09:17.265537494 +0200
@@ -1047,7 +1047,18 @@
int min = 0;
int max = -1;
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
if (*p == '}') max = min; else
{
@@ -1055,6 +1066,11 @@
{
max = 0;
while(
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
if (max < min)
{
*errorptr = ERR4;
@@ -1063,16 +1079,11 @@
}
}
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */
-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
+*minp = min;
+*maxp = max;
return p;
}
-------
Content-Type: text/plain;
name="
Content-
Content-
filename=
diff -ur pcre3-5.
--- pcre3-5.
+++ pcre3-5.0/pcre.c 2005-08-24 15:10:28.346633583 +0200
@@ -1245,7...
Debian Bug Importer (debzilla) wrote : | #38 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:27:20 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: PCRE3: CAN-2005-2491 for oldstable
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
embedded pcre 3.x, I also took a look at the woody version. I took a
look at the code and played with the test suite, and it seems to me
that the capture part works ok; just the integer underflow must be
fixed:
--- pcre.c
+++ pcre.c
@@ -733,7 +733,7 @@
/* Do paranoid checks, then fill in the required variables, and pass back =
the
pointer to the terminating '}'. */
-if (min > 65535 || max > 65535)
+if (min < 0 || min > 65535 || max < 0 || max > 65535)
*errorptr =3D ERR5;
else
{
However, it would be nice to have a second pair of eyes to confirm
that this version is not vulnerable to the capturing overflow.
Thanks,
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
--qDbXVdCdHGoSgWSk
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDDHW4Dec
Zoh0/ykJhkRwP2T
=EbVh
-----END PGP SIGNATURE-----
--qDbXVdCdHGoSg
Debian Bug Importer (debzilla) wrote : | #39 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:49:34 +0200
From: Sven Mueller <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#324531: pcre3: patch for CAN-2005-2491
-------
Content-Type: text/plain; charset=ISO-8859-15
Content-
Package pcre3
Tags 324531 +patch
thanks
Martin Pitt wrote on 24/08/2005 14:12:
> Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
>
> http://
Hmm, didn't get that the capturing fix is also needed. But your are
right there.
Attached are the patches which also include that capture-related fix
(4.5 and 5.0. The patch to 3.4 doesn't include anything to that part,
since it doesn't seem vulnerable to the capturing problem (and uses a
different approach to capturing anyway).
I also didn't include the patches made to the testing suite of the
package, since they by themself are not part of the security problem.
All three packages compile fine after the patches were applied.
Functionality also seems to be fine.
regards,
Sven
-------
Content-Type: text/plain;
name="
Content-
Content-
filename=
diff -ur pcre3-3.
--- pcre3-3.
+++ pcre3-3.4/pcre.c 2005-08-24 15:16:05.140911310 +0200
@@ -711,7 +711,18 @@
int min = 0;
int max = -1;
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
if (*p == '}') max = min; else
{
@@ -719,6 +730,11 @@
{
max = 0;
while(
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
if (max < min)
{
*errorptr = ERR4;
@@ -727,16 +743,11 @@
}
}
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */
-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
+*minp = min;
+*maxp = max;
return p;
}
-------
Content-Type: text/plain;
name="
Content-
Content-
filename=
diff -ur pcre3-4.
--- pcre3-4.
+++ pcre3-4.5/pcre.c 2005-08-24 15:25:17.580242557 +0200
@@ -1047,7 +1047,18 @@
int min = 0;
int max = -1;
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. *...
Debian Bug Importer (debzilla) wrote : | #40 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:51:07 +0200
From: Sven Mueller <email address hidden>
To: <email address hidden>
Subject: Bug#324531 also found in oldstable
Package pcre3
found 324531 3.4-1.1
thanks
Debian Bug Importer (debzilla) wrote : | #41 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 20:08:24 +0200
From: Martin Schulze <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: pcre3: patch for CAN-2005-2491
Martin Pitt wrote:
> Hi!
>
> Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
>
> http://
Patch originally sent by Marcus Meissner from SuSE.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
Debian Bug Importer (debzilla) wrote : | #42 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 21:04:50 +0200
From: Martin Schulze <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: PCRE3: CAN-2005-2491 for oldstable
Martin Pitt wrote:
> Hi!
>
> Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
> embedded pcre 3.x, I also took a look at the woody version. I took a
> look at the code and played with the test suite, and it seems to me
> that the capture part works ok; just the integer underflow must be
> fixed:
>
> --- pcre.c
> +++ pcre.c
> @@ -733,7 +733,7 @@
> /* Do paranoid checks, then fill in the required variables, and pass back the
> pointer to the terminating '}'. */
>
> -if (min > 65535 || max > 65535)
> +if (min < 0 || min > 65535 || max < 0 || max > 65535)
> *errorptr = ERR5;
> else
> {
>
> However, it would be nice to have a second pair of eyes to confirm
> that this version is not vulnerable to the capturing overflow.
Confirmed. Named subpatterns are not available in the 3.* version,
so they don't need to be fixed.
Regards,
Joey
--
It's time to close the windows.
Debian Bug Importer (debzilla) wrote : | #43 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 22:18:34 +0200
From: Florian Weimer <email address hidden>
To: Sven Mueller <email address hidden>
Cc: <email address hidden>, Stefan Fritsch <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
* Sven Mueller:
> +/* Read the minimum value and do a paranoid check: a negative value indicates
> +an integer overflow. */
> +
> while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
> +if (min < 0 || min > 65535)
This doesn't work. Signed integer overflow is undefined. Future GCC
version are likely to detect that the "min < 0" test is superfluous as
a result, and will optimize it away.
Debian Bug Importer (debzilla) wrote : | #44 |
Message-Id: <email address hidden>
Date: Sat, 27 Aug 2005 10:47:07 -0700
From: Mark Baker <email address hidden>
To: <email address hidden>
Subject: Bug#324531: fixed in pcre3 6.3-1
Source: pcre3
Source-Version: 6.3-1
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive:
libpcre3-
to pool/main/
libpcre3_
to pool/main/
pcre3_6.3-1.diff.gz
to pool/main/
pcre3_6.3-1.dsc
to pool/main/
pcre3_6.
to pool/main/
pcregrep_
to pool/main/
pgrep_6.3-1_all.deb
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Baker <email address hidden> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 27 Aug 2005 18:12:22 +0100
Source: pcre3
Binary: pcregrep libpcre3 pgrep libpcre3-dev
Architecture: source all i386
Version: 6.3-1
Distribution: unstable
Urgency: low
Maintainer: Mark Baker <email address hidden>
Changed-By: Mark Baker <email address hidden>
Description:
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
pcregrep - grep utility that uses perl 5 compatible regexes.
pgrep - Dummy package for transition to pcregrep
Closes: 309606 323761 324531
Changes:
pcre3 (6.3-1) unstable; urgency=low
.
* New upstream release (Closes: 323761).
* This includes fix to security issue CAN-2005-2491 (Closes: 324531)
.
pcre3 (5.0-1.1) unstable; urgency=low
.
* Non-maintainer upload.
* Correct an alignment error in the pcretest.c test case, which was
causing build failures on ia64 (closes: #309606).
Files:
91f444f5eba58b
6a2934e0cce165
9d837723421e35
07acbabbd4b230
2aae0dc35274f2
70788faf301fb3
f31e373cb54446
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDEKNjLk+
a6cdR3p7Kv8J4oI
=eNym
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #45 |
Message-ID: <email address hidden>
Date: Thu, 01 Sep 2005 11:23:18 +0200
From: Daniel Tiefnig <email address hidden>
To: <email address hidden>
Subject: Re: Bug#324531: fixed in pcre3 6.3-1
Hej,
so how about libpcre in sarge? It's also affected, isn't it? The upload
to unstable won't fix that. Has the security team been contacted?
lg,
daniel
Debian Bug Importer (debzilla) wrote : | #46 |
Message-ID: <email address hidden>
Date: Fri, 02 Sep 2005 16:06:03 +0200
From: Daniel Tiefnig <email address hidden>
To: <email address hidden>
Subject: Re: Bug#324531: fixed in pcre3 6.3-1
Daniel Tiefnig wrote:
> so how about libpcre in sarge?
Duh, here it is now:
http://
Thanks for catching this bug!
daniel
Automatically imported from Debian bug report #324531 http:// bugs.debian. org/324531