Debians sikkerhedsbulletin

DSA-1399-1 pcre3 -- flere sårbarheder

Rapporteret den:

5. nov 2007

Berørte pakker:

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768.

Yderligere oplysninger:

Tavis Ormandy fra Google Security Team har opdaget flere sikkerhedsproblemer i PCRE, Perl-Compatible Regular Expression-biblioteket, hvilket potentielt kunne gøre det muligt for angribere at udføre vilkårlig kode ved at compile særligt fremstillede regulære udtryk.

Version 7.0 af PCRE-biblioteket indeholdt en større omskrivning af regulære udtryk-compileren, og det blev vurderet upraktisk at tilbageføre sikkerhedsrettelserne fra version 7.3 til versionerne i Debians stabile og gamle stable distributioner (6.7 hhv. 4.5). Derfor er denne opdatering baseret på version 7.4 (der indeholder sikkerhedsfejlrettelser fra version 7.3, samt flere rettede regressioner), med særlige rettelser til at forbedre kompatibiliteten med de ældre versioner. Man skal derfor være særlig omhyggelig når denne opdatering lægges på.

Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

CVE-2007-1659
Ikke-matchede \Q\E-sekvenser med forældreløse \E-koder kunne medføre at compilet regex blev afsynkroniseret, med ødelagt bytecode til følge, hvilket kunne give flere udnytbare situationer.
CVE-2007-1660
Flere former for tegn-klasser havde fejlberegnede størrelser i de indledende gennemløb, medførende at for lidt hukommelse blev allokeret.
CVE-2007-1661
Flere møstre på formen \X?\d eller \P{L}?\d i ikke-UTF-8-tilstand kunne springe tilbage til før begyndelsen af strengen, muligvis lækkende oplysninger fra adresserummet, eller forårsagende et nedbrud ved at læse uden for grænserne.
CVE-2007-1662
En antal rutiner kunne narres til at læse ud over slutningen af en streng, ved søgning efter ikke-matchede parenteser eller klammer, medførende et lammelsesangreb (denial of service).
CVE-2007-4766
Flere heltalsoverløb i behandlingen af escape-sekvenser kunne medføre heap-overløb eller læsning/skrivning uden for grænserne.
CVE-2007-4767
Flere uendelige løkker og heap-overløb blev opdaget i hånteringen af sekvenser med \P og \P{x}, hvor længden af disse ikke-standard handlinger blev håndteret ukorrekt.
CVE-2007-4768
Tegn-klasser indeholdende en enlig unicode-sekevens blev optimeret på forkert vis, medførende heap-overløb.

I den gamle stabile distribution (sarge), er disse problemer rettet i version 4.5+7.4-1.

I den stabile distribution (etch), er disse problemer rettet i version 6.7+7.4-2.

I den ustabile distribution (sid), er disse problemer rettet i version 7.3-1.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:: http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4-1.dsc; http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4-1.diff.gz; http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/p/pcre3/pgrep_4.5+7.4-1_all.deb
Alpha:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_alpha.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_alpha.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_arm.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_arm.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_hppa.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_hppa.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_i386.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_i386.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_ia64.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_ia64.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_ia64.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_m68k.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_m68k.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_m68k.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_mips.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_mips.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_mipsel.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_mipsel.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_powerpc.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_powerpc.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_s390.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_s390.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_sparc.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_sparc.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_sparc.deb

Debian GNU/Linux 4.0 (etch)

Kildekode:: http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4-2.diff.gz; http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4-2.dsc; http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_alpha.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_alpha.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_alpha.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_amd64.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_amd64.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_amd64.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_arm.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_arm.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_arm.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_hppa.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_hppa.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_hppa.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_i386.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_i386.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_i386.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_ia64.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_ia64.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_ia64.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_mips.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_mips.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_mips.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_mipsel.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_mipsel.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_mipsel.deb; http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_powerpc.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_powerpc.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_powerpc.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_s390.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_s390.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_s390.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_sparc.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_sparc.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_sparc.deb; http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.