Debians sikkerhedsbulletin

DSA-1399-1 pcre3 -- flere sårbarheder

Rapporteret den:
5. nov 2007
Berørte pakker:
pcre3
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768.
Yderligere oplysninger:

Tavis Ormandy fra Google Security Team har opdaget flere sikkerhedsproblemer i PCRE, Perl-Compatible Regular Expression-biblioteket, hvilket potentielt kunne gøre det muligt for angribere at udføre vilkårlig kode ved at compile særligt fremstillede regulære udtryk.

Version 7.0 af PCRE-biblioteket indeholdt en større omskrivning af regulære udtryk-compileren, og det blev vurderet upraktisk at tilbageføre sikkerhedsrettelserne fra version 7.3 til versionerne i Debians stabile og gamle stable distributioner (6.7 hhv. 4.5). Derfor er denne opdatering baseret på version 7.4 (der indeholder sikkerhedsfejlrettelser fra version 7.3, samt flere rettede regressioner), med særlige rettelser til at forbedre kompatibiliteten med de ældre versioner. Man skal derfor være særlig omhyggelig når denne opdatering lægges på.

Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

  • CVE-2007-1659

    Ikke-matchede \Q\E-sekvenser med forældreløse \E-koder kunne medføre at compilet regex blev afsynkroniseret, med ødelagt bytecode til følge, hvilket kunne give flere udnytbare situationer.

  • CVE-2007-1660

    Flere former for tegn-klasser havde fejlberegnede størrelser i de indledende gennemløb, medførende at for lidt hukommelse blev allokeret.

  • CVE-2007-1661

    Flere møstre på formen \X?\d eller \P{L}?\d i ikke-UTF-8-tilstand kunne springe tilbage til før begyndelsen af strengen, muligvis lækkende oplysninger fra adresserummet, eller forårsagende et nedbrud ved at læse uden for grænserne.

  • CVE-2007-1662

    En antal rutiner kunne narres til at læse ud over slutningen af en streng, ved søgning efter ikke-matchede parenteser eller klammer, medførende et lammelsesangreb (denial of service).

  • CVE-2007-4766

    Flere heltalsoverløb i behandlingen af escape-sekvenser kunne medføre heap-overløb eller læsning/skrivning uden for grænserne.

  • CVE-2007-4767

    Flere uendelige løkker og heap-overløb blev opdaget i hånteringen af sekvenser med \P og \P{x}, hvor længden af disse ikke-standard handlinger blev håndteret ukorrekt.

  • CVE-2007-4768

    Tegn-klasser indeholdende en enlig unicode-sekevens blev optimeret på forkert vis, medførende heap-overløb.

I den gamle stabile distribution (sarge), er disse problemer rettet i version 4.5+7.4-1.

I den stabile distribution (etch), er disse problemer rettet i version 6.7+7.4-2.

I den ustabile distribution (sid), er disse problemer rettet i version 7.3-1.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:
http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4-1.dsc
http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4-1.diff.gz
http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/p/pcre3/pgrep_4.5+7.4-1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_alpha.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_alpha.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_arm.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_arm.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_hppa.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_hppa.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_i386.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_i386.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_ia64.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_ia64.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_ia64.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_m68k.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_m68k.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_m68k.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_mips.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_mips.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_mipsel.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_mipsel.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_powerpc.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_powerpc.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_s390.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_s390.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-1_sparc.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-1_sparc.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-1_sparc.deb

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4-2.diff.gz
http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4-2.dsc
http://security.debian.org/pool/updates/main/p/pcre3/pcre3_6.7+7.4.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_alpha.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_alpha.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_alpha.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_amd64.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_amd64.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_amd64.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_arm.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_arm.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_arm.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_hppa.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_hppa.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_hppa.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_i386.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_i386.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_i386.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_ia64.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_ia64.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_ia64.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_mips.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_mips.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_mips.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_mipsel.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_mipsel.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_mipsel.deb
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_powerpc.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_powerpc.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_powerpc.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_s390.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_s390.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_s390.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_6.7+7.4-2_sparc.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_6.7+7.4-2_sparc.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_6.7+7.4-2_sparc.deb
http://security.debian.org/pool/updates/main/p/pcre3/libpcrecpp0_6.7+7.4-2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.