From 47cd5f07e0f7928f7514a2cdac997c5b4bf0dc50 Mon Sep 17 00:00:00 2001 From: Aldas Nabazas Date: Sat, 16 Feb 2008 18:47:26 +0100 Subject: [PATCH] Updated pcre (7.2 -> 7.6) : SECURITY - CRITICAL CVE-2007-1659 (Medium) : Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patters containing unmatched "\Q\E" sequences with orphan "\E" codes. CVE-2007-1660 (Medium) : Perl-Compatible Regular Expression (PCRE) library before 7.3 does not properly calculate sizes for unspecified "multiple forms of character class", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code. CVE-2007-1661 (Medium) : Perl-Compatible Regular Expression (PCRE) library before 7.3 backtracks too far when matching certain input bytes against some regex patterns in non-UTF-8 mode, which allows context-dependent attackers to obtain sensitive information or cause a denial of service (crash), as demonstrated by the "\X?\d" and "\P{L}?\d" patterns. CVE-2007-1662 (Medium) : Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the end of the string when searching for unmatched brackets and parentheses, which allows context-dependent attackers to cause a denial of service (crash), possibly involving forward references. CVE-2007-4766 (High) : Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 7.3 allow context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via unspecified escape (backslash) sequences. CVE-2007-4767 (Medium) : Perl-Compatible Regular Expression (PCRE) library before 7.3 does not properly compute the length of (1) a \p sequence, (2) a \P sequence, or (3) a \P{x} sequence, which allows context-dependent attackers to cause a denial of service (infinite loop or crash) or execute arbitrary code. CVE-2007-4768 (Medium) : Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized. --- base/pcre/pcre.desc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/base/pcre/pcre.desc b/base/pcre/pcre.desc index 767dc3aa5..e3d87d210 100644 --- a/base/pcre/pcre.desc +++ b/base/pcre/pcre.desc @@ -3,7 +3,7 @@ [COPY] This copyright note is auto-generated by ./scripts/Create-CopyPatch. [COPY] [COPY] Filename: package/.../pcre/pcre.desc -[COPY] Copyright (C) 2006 - 2007 The OpenSDE Project +[COPY] Copyright (C) 2006 - 2008 The OpenSDE Project [COPY] Copyright (C) 2004 - 2006 The T2 SDE Project [COPY] Copyright (C) 1998 - 2003 Clifford Wolf [COPY] @@ -32,12 +32,12 @@ [M] The OpenSDE Community [C] base/library -[F] LIBTOOL-QUIRK NOPARALLEL +[F] NOPARALLEL [L] BSD [S] Stable -[V] 7.2 +[V] 7.6 [P] X -----5---9 110.000 -[D] 1461738484 pcre-7.2.tar.bz2 ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ +[D] 2677790569 pcre-7.6.tar.bz2 ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/