pcre3: CAN-2005-2491

Automatically imported from Debian bug report #324531 http://bugs.debian.org/324531

Message-Id: <email address hidden>
Date: Mon, 22 Aug 2005 18:15:53 +0200
From: Adrian Bunk <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: pcre3: CAN-2005-2491

Package: pcre3
Severity: critical
Tags: security, woody, sarge, etch, sid

It should be checked which of the versions in unstable/testing,
stable and oldstable might be affected by CAN-2005-2491
(PCRE Heap Overflow May Let Users Execute Arbitrary Code).

Message-Id: <email address hidden>
Date: Mon, 22 Aug 2005 20:11:51 +0200
From: Sven Mueller <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: pcre3: Version in stable (4.5-1.2) affected, patch attached

--===============0631809819==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: pcre3
Followup-For: Bug #324531

Patch extracted from difference between upstream versions 6.0 and 6.1,
modified to patch version 4.5. Patch is attached.

Regards,
Sven

-- System Information:
Debian Release: 3.1
  APT prefers experimental
  APT policy: (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

--===============0631809819==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="pcre3-CAN-2005-2491.diff"

--- pcre.c 2003-12-10 17:45:44.000000000 +0100
+++ ../pcre.c 2005-08-22 19:49:14.673426894 +0200
@@ -4755,6 +4755,7 @@
               options = (options | set) & (~unset);
               set = unset = 0; /* To save length */
               item_count--; /* To allow for several */
+ length +=2; /* avoid CAN-2005-2491 */
               }

             /* Fall through */

--===============0631809819==--

Message-Id: <email address hidden>
Date: Mon, 22 Aug 2005 20:14:42 +0200
From: Sven Mueller <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: pcre3: testing, unstable also effected

Package: pcre3
Followup-For: Bug #324531

Same patch as in my previous mail also works for 5.0-1.1

Regards,
Sven

-- System Information:
Debian Release: 3.1
  APT prefers experimental
  APT policy: (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Message-Id: <email address hidden>
Date: Mon, 22 Aug 2005 20:26:22 +0200 (CEST)
From: Sven Mueller <email address hidden>
To: BTS <email address hidden>
Subject: Found PCRE bugs in versions 4.5-1.2 and 5.0-1.1

Package: pcre3
Found 324531 4.5-1.2
Found 324531 5.0-1.1
Thanks

Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 21:29:13 +0200
From: Sven Mueller <email address hidden>
To: <email address hidden>
Subject: Additional note: unstable seems unaffected

Hi.

The code used to actually parse regular expressions seems to be
completely different in pcre3-3.4-1.1 (version in oldstable), so it is
likely oldstable is not affected by this bug. But I can't tell for sure.

At the very least the fix will definately need to be modified, something
 I won't be able to do in a timely manner.

Regards,
Sven
--
"Writing a book is like washing an elephant: there's no good
 place to begin or end, and it's hard to keep track of what
 you've already covered." -- Anonymous

--
------------------------ [ SECURITY NOTICE ] ------------------------
To: <email address hidden>.
For your security, <email address hidden>
digitally signed this message on 22 August 2005 at 19:29:15 UTC.
Verify this digital signature at http://www.ciphire.com/verify.
------------------- [ CIPHIRE DIGITAL SIGNATURE ] -------------------
Q2lwaGlyZSBTaWcuAVczMjQ1MzFAYnVncy5kZWJpYW4ub3JnAHNtQGNpcGhpcmVsYWJzL
mNvbQBlbWFpbCBib2R5AJsBAAB8AHwAAAABAAAAiycKQ5sBAAAYAgACAAIAAgAg7o81B3
u7SGhY8TUyOasP5PM9L/eo5WaZF6DK9DcIKJkBAKe4iRF7xBuVS5ZEqDwPUnOnv+9OIOo
KTcvFvXP3opHtvKxuIZGUxqnQ6F71SCNyLECE7ef392BjEaIPqyRLF8SEU2lnRW5k
--------------------- [ END DIGITAL SIGNATURE ] ---------------------

Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 21:52:41 +0100
From: Mark Baker <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

On Mon, Aug 22, 2005 at 06:15:53PM +0200, Adrian Bunk wrote:

> It should be checked which of the versions in unstable/testing,
> stable and oldstable might be affected by CAN-2005-2491
> (PCRE Heap Overflow May Let Users Execute Arbitrary Code).

I'm away on business until wednesday night; if anything needs doing
urgently it would be good if someone else could deal with it.

Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 19:43:53 -0400
From: Joey Hess <email address hidden>
To: Adrian Bunk <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Adrian Bunk wrote:
> It should be checked which of the versions in unstable/testing,
> stable and oldstable might be affected by CAN-2005-2491
> (PCRE Heap Overflow May Let Users Execute Arbitrary Code).

Which is unfortunatly still marked as "reserved" in the CVE db, so I
don't have any more info about it. URL?

--=20
see shy jo

--XsQoSWH+UP9D9v3l
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDCmM5d8HHehbQuO8RAthzAJ9aXMXQmWqRWYQMG0zctWezqY/HYQCg2c1e
1LYr4MajKi7OsitiTCJ1Tb8=
=HeaE
-----END PGP SIGNATURE-----

--XsQoSWH+UP9D9v3l--

Message-ID: <email address hidden>
Date: Tue, 23 Aug 2005 02:54:40 +0200
From: Adrian Bunk <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

On Mon, Aug 22, 2005 at 07:43:53PM -0400, Joey Hess wrote:
> Adrian Bunk wrote:
> > It should be checked which of the versions in unstable/testing,
> > stable and oldstable might be affected by CAN-2005-2491
> > (PCRE Heap Overflow May Let Users Execute Arbitrary Code).
>
> Which is unfortunatly still marked as "reserved" in the CVE db, so I
> don't have any more info about it. URL?

  http://www.securitytracker.com/alerts/2005/Aug/1014744.html

> see shy jo

cu
Adrian

--

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

 pcre3 (5.0-1.1ubuntu1) breezy; urgency=low
 .
   * SECURITY UPDATE: Fix arbitrary code execution with specially crafted
     regexps.
   * pcre.c: Apply upstream patch to fix length calculation if ')' appears as
     the first item in the regexp.
   * References:
     CAN-2005-2491
     http://securitytracker.com/id?1014744

Fix pending for stables.

stables fixed in USN-173-1.

Message-ID: <email address hidden>
Date: Tue, 23 Aug 2005 12:39:51 +0200
From: Sven Mueller <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
CC: Adrian Bunk <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

Joey Hess wrote on 23/08/2005 01:43:
> Adrian Bunk wrote:
>
>>It should be checked which of the versions in unstable/testing,
>>stable and oldstable might be affected by CAN-2005-2491
>>(PCRE Heap Overflow May Let Users Execute Arbitrary Code).
>
>
> Which is unfortunatly still marked as "reserved" in the CVE db, so I
> don't have any more info about it. URL?
>

http://www.securitytracker.com/alerts/2005/Aug/1014744.html

Message-Id: <email address hidden>
Date: Tue, 23 Aug 2005 23:15:04 +0200
From: Stefan Fritsch <email address hidden>
To: <email address hidden>,
 Sven Mueller <email address hidden>
Subject: pcre3: CAN-2005-2491

Hi,

> Patch extracted from difference between upstream versions 6.0 and
> 6.1, modified to patch version 4.5. Patch is attached.

While the issue corresponding to your patch should be fixed as well,
this is not the patch for CAN-2005-2491. The securitytracker page
states that 6.1 and prior versions are vulnerable. One needs to look
at the differences between 6.1 and 6.2. The relevant changes are a
bit larger.

Cheers,
Stefan

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 14:12:40 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: pcre3: patch for CAN-2005-2491

--r5Pyd7+fXNt84Ff3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:

  http://patches.ubuntu.com/patches/pcre3.CAN-2005-2491.diff

Thanks,

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

--r5Pyd7+fXNt84Ff3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDDGQ4DecnbV4Fd/IRAqdQAJ9g2m84G9gJdQgfZZg3cEK4VwjLYwCgylWm
g67IQX55awrDDoQJNJQST2I=
=P/RH
-----END PGP SIGNATURE-----

--r5Pyd7+fXNt84Ff3--

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 14:52:41 +0200
From: Sven Mueller <email address hidden>
To: Stefan Fritsch <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

--------------enig487232E5E8BE0C5EA4533572
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.

You are right. I was confused because the pcre homepage still says 6.1
is the latest version. Working on the real fix now.

cu,
sven

--------------enig487232E5E8BE0C5EA4533572
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iD8DBQFDDG2dDcs5RBTUBgsRAi3WAJ0d01OjHl042Uzf3o314bbhscOndgCgq0Yn
DcHJfPZhrJmMCROAU/0hXYo=
=GMZJ
-----END PGP SIGNATURE-----

--------------enig487232E5E8BE0C5EA4533572--

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:20:46 +0200
From: Sven Mueller <email address hidden>
To: Stefan Fritsch <email address hidden>, <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

--------------enigB3732CC888BA43FFB30E0C94
Content-Type: multipart/mixed;
 boundary="------------010908040407040509020704"

This is a multi-part message in MIME format.
--------------010908040407040509020704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.

Alright, this time I attach the correct patches (only source patches, no
debian changelog entry) for all three versions of libpcre3 currently in
the archive (3.4, 4.5, 5.0), attached. I could prepare a NMU, but as I
am no DD, I would need a sponsor for that (plus I don't really know how
to do the security-NMU to stable/oldstable anyhow - yet).

cu,
sven

--------------010908040407040509020704
Content-Type: text/plain;
 name="pcre3-4.5-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pcre3-4.5-CAN2005-2491.diff"

diff -ur pcre3-4.5.orig/pcre.c pcre3-4.5/pcre.c
--- pcre3-4.5.orig/pcre.c 2003-12-10 17:45:44.000000000 +0100
+++ pcre3-4.5/pcre.c 2005-08-24 15:09:17.265537494 +0200
@@ -1047,7 +1047,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

 if (*p == '}') max = min; else
   {
@@ -1055,6 +1066,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1063,16 +1079,11 @@
     }
   }

-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */

-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
+*minp = min;
+*maxp = max;
 return p;
 }

--------------010908040407040509020704
Content-Type: text/plain;
 name="pcre3-5.0-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pcre3-5.0-CAN2005-2491.diff"

diff -ur pcre3-5.0.orig/pcre.c pcre3-5.0/pcre.c
--- pcre3-5.0.orig/pcre.c 2004-09-13 16:20:00.000000000 +0200
+++ pcre3-5.0/pcre.c 2005-08-24 15:10:28.346633583 +0200
@@ -1245,7...

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:27:20 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: PCRE3: CAN-2005-2491 for oldstable

--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
embedded pcre 3.x, I also took a look at the woody version. I took a
look at the code and played with the test suite, and it seems to me
that the capture part works ok; just the integer underflow must be
fixed:

--- pcre.c
+++ pcre.c
@@ -733,7 +733,7 @@
 /* Do paranoid checks, then fill in the required variables, and pass back =
the
 pointer to the terminating '}'. */

-if (min > 65535 || max > 65535)
+if (min < 0 || min > 65535 || max < 0 || max > 65535)
   *errorptr =3D ERR5;
 else
   {

However, it would be nice to have a second pair of eyes to confirm
that this version is not vulnerable to the capturing overflow.

Thanks,

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDDHW4DecnbV4Fd/IRAiepAJoDp9hbk7OPkRh8831QSJPuRraAXgCaA086
Zoh0/ykJhkRwP2TGxuMLKDg=
=EbVh
-----END PGP SIGNATURE-----

--qDbXVdCdHGoSgWSk--

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:49:34 +0200
From: Sven Mueller <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#324531: pcre3: patch for CAN-2005-2491

--------------080200030408040203070601
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit

Package pcre3
Tags 324531 +patch
thanks

Martin Pitt wrote on 24/08/2005 14:12:
> Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
>
> http://patches.ubuntu.com/patches/pcre3.CAN-2005-2491.diff

Hmm, didn't get that the capturing fix is also needed. But your are
right there.

Attached are the patches which also include that capture-related fix
(4.5 and 5.0. The patch to 3.4 doesn't include anything to that part,
since it doesn't seem vulnerable to the capturing problem (and uses a
different approach to capturing anyway).

I also didn't include the patches made to the testing suite of the
package, since they by themself are not part of the security problem.

All three packages compile fine after the patches were applied.
Functionality also seems to be fine.

regards,
Sven

--------------080200030408040203070601
Content-Type: text/plain;
 name="pcre3-3.4-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pcre3-3.4-CAN2005-2491.diff"

diff -ur pcre3-3.4.orig/pcre.c pcre3-3.4/pcre.c
--- pcre3-3.4.orig/pcre.c 2000-08-22 11:05:43.000000000 +0200
+++ pcre3-3.4/pcre.c 2005-08-24 15:16:05.140911310 +0200
@@ -711,7 +711,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

 if (*p == '}') max = min; else
   {
@@ -719,6 +730,11 @@
     {
     max = 0;
     while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -727,16 +743,11 @@
     }
   }

-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */

-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
+*minp = min;
+*maxp = max;
 return p;
 }

--------------080200030408040203070601
Content-Type: text/plain;
 name="pcre3-4.5-CAN2005-2491.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pcre3-4.5-CAN2005-2491.diff"

diff -ur pcre3-4.5.orig/pcre.c pcre3-4.5/pcre.c
--- pcre3-4.5.orig/pcre.c 2003-12-10 17:45:44.000000000 +0100
+++ pcre3-4.5/pcre.c 2005-08-24 15:25:17.580242557 +0200
@@ -1047,7 +1047,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. *...

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 15:51:07 +0200
From: Sven Mueller <email address hidden>
To: <email address hidden>
Subject: Bug#324531 also found in oldstable

Package pcre3
found 324531 3.4-1.1
thanks

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 20:08:24 +0200
From: Martin Schulze <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: pcre3: patch for CAN-2005-2491

Martin Pitt wrote:
> Hi!
>
> Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
>
> http://patches.ubuntu.com/patches/pcre3.CAN-2005-2491.diff

Patch originally sent by Marcus Meissner from SuSE.

Regards,

 Joey

--
It's time to close the windows.

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 21:04:50 +0200
From: Martin Schulze <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: PCRE3: CAN-2005-2491 for oldstable

Martin Pitt wrote:
> Hi!
>
> Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
> embedded pcre 3.x, I also took a look at the woody version. I took a
> look at the code and played with the test suite, and it seems to me
> that the capture part works ok; just the integer underflow must be
> fixed:
>
> --- pcre.c
> +++ pcre.c
> @@ -733,7 +733,7 @@
> /* Do paranoid checks, then fill in the required variables, and pass back the
> pointer to the terminating '}'. */
>
> -if (min > 65535 || max > 65535)
> +if (min < 0 || min > 65535 || max < 0 || max > 65535)
> *errorptr = ERR5;
> else
> {
>
> However, it would be nice to have a second pair of eyes to confirm
> that this version is not vulnerable to the capturing overflow.

Confirmed. Named subpatterns are not available in the 3.* version,
so they don't need to be fixed.

Regards,

 Joey

--
It's time to close the windows.

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 22:18:34 +0200
From: Florian Weimer <email address hidden>
To: Sven Mueller <email address hidden>
Cc: <email address hidden>, Stefan Fritsch <email address hidden>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491

* Sven Mueller:

> +/* Read the minimum value and do a paranoid check: a negative value indicates
> +an integer overflow. */
> +
> while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
> +if (min < 0 || min > 65535)

This doesn't work. Signed integer overflow is undefined. Future GCC
version are likely to detect that the "min < 0" test is superfluous as
a result, and will optimize it away.

Message-Id: <email address hidden>
Date: Sat, 27 Aug 2005 10:47:07 -0700
From: Mark Baker <email address hidden>
To: <email address hidden>
Subject: Bug#324531: fixed in pcre3 6.3-1

Source: pcre3
Source-Version: 6.3-1

We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive:

libpcre3-dev_6.3-1_i386.deb
  to pool/main/p/pcre3/libpcre3-dev_6.3-1_i386.deb
libpcre3_6.3-1_i386.deb
  to pool/main/p/pcre3/libpcre3_6.3-1_i386.deb
pcre3_6.3-1.diff.gz
  to pool/main/p/pcre3/pcre3_6.3-1.diff.gz
pcre3_6.3-1.dsc
  to pool/main/p/pcre3/pcre3_6.3-1.dsc
pcre3_6.3.orig.tar.gz
  to pool/main/p/pcre3/pcre3_6.3.orig.tar.gz
pcregrep_6.3-1_i386.deb
  to pool/main/p/pcre3/pcregrep_6.3-1_i386.deb
pgrep_6.3-1_all.deb
  to pool/main/p/pcre3/pgrep_6.3-1_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Baker <email address hidden> (supplier of updated pcre3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 27 Aug 2005 18:12:22 +0100
Source: pcre3
Binary: pcregrep libpcre3 pgrep libpcre3-dev
Architecture: source all i386
Version: 6.3-1
Distribution: unstable
Urgency: low
Maintainer: Mark Baker <email address hidden>
Changed-By: Mark Baker <email address hidden>
Description:
 libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
 libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
 pcregrep - grep utility that uses perl 5 compatible regexes.
 pgrep - Dummy package for transition to pcregrep
Closes: 309606 323761 324531
Changes:
 pcre3 (6.3-1) unstable; urgency=low
 .
   * New upstream release (Closes: 323761).
   * This includes fix to security issue CAN-2005-2491 (Closes: 324531)
 .
 pcre3 (5.0-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Correct an alignment error in the pcretest.c test case, which was
     causing build failures on ia64 (closes: #309606).
Files:
 91f444f5eba58bc3c20d99de6214a71a 577 libs optional pcre3_6.3-1.dsc
 6a2934e0cce1656692430d9788002c93 819268 libs optional pcre3_6.3.orig.tar.gz
 9d837723421e35117bd76b7a7deab9b6 11204 libs optional pcre3_6.3-1.diff.gz
 07acbabbd4b230c13c68081220ffa8fc 762 oldlibs optional pgrep_6.3-1_all.deb
 2aae0dc35274f210c1e9baafb6e17e9f 187420 libs important libpcre3_6.3-1_i386.deb
 70788faf301fb344de90d2a3cf705f35 215714 libdevel optional libpcre3-dev_6.3-1_i386.deb
 f31e373cb5444605af90290e0ed2d888 12084 utils optional pcregrep_6.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDEKNjLk+GuosNQvkRAv/7AKCGbkgdwyHuCqgg1Uj+MAAgRjMLfgCdH8/Z
a6cdR3p7Kv8J4oIyjnaVr4c=
=eNym
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Thu, 01 Sep 2005 11:23:18 +0200
From: Daniel Tiefnig <email address hidden>
To: <email address hidden>
Subject: Re: Bug#324531: fixed in pcre3 6.3-1

Hej,

so how about libpcre in sarge? It's also affected, isn't it? The upload
to unstable won't fix that. Has the security team been contacted?

lg,
daniel

Message-ID: <email address hidden>
Date: Fri, 02 Sep 2005 16:06:03 +0200
From: Daniel Tiefnig <email address hidden>
To: <email address hidden>
Subject: Re: Bug#324531: fixed in pcre3 6.3-1

Daniel Tiefnig wrote:
> so how about libpcre in sarge?

Duh, here it is now:
http://www.us.debian.org/security/2005/dsa-800

Thanks for catching this bug!

daniel