headers
Andy Wright | 22 Feb 20:22

libpre3 stack overflow

Their is a security update for libpre3 and devel packages for Ubuntu
Server 6.06:

Version 7.4-0ubuntu0.7.04.2: 

  * SECURITY UPDATE: stack overflow when handling long UTF8 strings.
  * pcre_compile.c, testdata/test{in,out}put4: upstream changes from 7.6
    backported, thanks to Tomas Hoger and Florian Weimer.
  * References
    CVE-2008-0674

I compile lighttpd from source, should I be overly concerned with the
previous build without this fix?
--

-- 
                                   ___________________________________
Andy Wright                                  andy.wright <at> extracted.org
IT/IS Professional                         For public and private use.
IT/IS Forum # (608)554-0030 VM                         KEY ID 7CECF855 
Open Forum Skype: extracted              http://7cecf855.extracted.org    
Thanks BB, "water is wet"
                                    ALTERNATIVE: andy.wright <at> yahoo.com
                                   ___________________________________
Permalink | Reply |
headers
Christian Hoffmann | 22 Feb 20:31

Re: libpre3 stack overflow

On 2008-02-22 20:25, Andy Wright wrote:
> Their is a security update for libpre3 and devel packages for Ubuntu
> Server 6.06:
> 
> Version 7.4-0ubuntu0.7.04.2: 
> 
>   * SECURITY UPDATE: stack overflow when handling long UTF8 strings.
>   * pcre_compile.c, testdata/test{in,out}put4: upstream changes from 7.6
>     backported, thanks to Tomas Hoger and Florian Weimer.
>   * References
>     CVE-2008-0674
> 
> I compile lighttpd from source, should I be overly concerned with the
> previous build without this fix?
No, updating the system pcre library is sufficient, usually. It would 
only be a problem if you created a static lighttpd executable (which is 
non-default and does not really make sense for normal systems).

In this special case, the vulnerability is not a problem for lighttpd 
anyway -- lighty uses regular expressions in mod_re{write,direct} and =~ 
conditionals. In all those cases the patterns are created by you (and 
not by a possibly malicious user), but for successful exploitation of 
this vulnerability the attacker needs access to the patterrn.

It's PCRE and not PRE btw ;)

--

-- 
Christian Hoffmann
(Continue reading)

Permalink | Reply |
headers
Andy Wright | 22 Feb 21:07

Re: libpre3 stack overflow

On Fri, 2008-02-22 at 20:31 +0100, Christian Hoffmann wrote:
> On 2008-02-22 20:25, Andy Wright wrote:
> > Their is a security update for libpre3 and devel packages for Ubuntu
> > Server 6.06:
> > 
> > Version 7.4-0ubuntu0.7.04.2: 
> > 
> >   * SECURITY UPDATE: stack overflow when handling long UTF8 strings.
> >   * pcre_compile.c, testdata/test{in,out}put4: upstream changes from 7.6
> >     backported, thanks to Tomas Hoger and Florian Weimer.
> >   * References
> >     CVE-2008-0674
> > 
> > I compile lighttpd from source, should I be overly concerned with the
> > previous build without this fix?
> No, updating the system pcre library is sufficient, usually. It would 
> only be a problem if you created a static lighttpd executable (which is 
> non-default and does not really make sense for normal systems).
> 
> In this special case, the vulnerability is not a problem for lighttpd 
> anyway -- lighty uses regular expressions in mod_re{write,direct} and =~ 
> conditionals. In all those cases the patterns are created by you (and 
> not by a possibly malicious user), but for successful exploitation of 
> this vulnerability the attacker needs access to the patterrn.
> 
> It's PCRE and not PRE btw ;)
> 

I seam to be seeing double on this mailing list.  My eyes just needed to
adjust.  That's my excuse! :-D
(Continue reading)

Permalink | Reply |

Gmane