English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 90895 CVE descriptions
and 50192 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.58731
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 1399-1 (pcre3)
Summary:Debian Security Advisory DSA 1399-1 (pcre3)
Description:Description:
The remote host is missing an update to pcre3
announced via advisory DSA 1399-1.

Tavis Ormandy of the Google Security Team has discovered several
security issues in PCRE, the Perl-Compatible Regular Expression library,
which potentially allow attackers to execute arbitrary code by compiling
specially crafted regular expressions.

Version 7.0 of the PCRE library featured a major rewrite of the regular
expression compiler, and it was deemed infeasible to backport the
security fixes in version 7.3 to the versions in Debian's stable and
oldstable distributions (6.7 and 4.5, respectively). Therefore, this
update contains version 7.3, with special patches to improve the
compatibility with the older versions. As a result, extra care is
necessary when applying this update.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2007-1659

Unmatched \Q\E sequences with orphan \E codes can cause the compiled
regex to become desynchronized, resulting in corrupt bytecode that may
result in multiple exploitable conditions.

CVE-2007-1660

Multiple forms of character class had their sizes miscalculated on
initial passes, resulting in too little memory being allocated.

CVE-2007-1661

Multiple patterns of the form \X?\d or \P{L}?\d in non-UTF-8 mode
could backtrack before the start of the string, possibly leaking
information from the address space, or causing a crash by reading out
of bounds.

CVE-2007-1662

A number of routines can be fooled into reading past the end of an
string looking for unmatched parentheses or brackets, resulting in a
denial of service.

CVE-2007-4766

Multiple integer overflows in the processing of escape sequences could
result in heap overflows or out of bounds reads/writes.

CVE-2007-4767

Multiple infinite loops and heap overflows were disovered in the
handling of \P and \P{x} sequences, where the length of these
non-standard operations was mishandled.

CVE-2007-4768

Character classes containing a lone unicode sequence were incorrectly
optimised, resulting in a heap overflow.

For the stable distribution (etch), these problems have been fixed in
version 6.7+7.4-2.

For the old stable distribution (sarge), these problems have been fixed in
version 4.5+7.4-1.

For the unstable distribution (sid), these problems have been fixed in
version 7.3-1.


Solution:
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201399-1

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2007-1659
Bugtraq: 20071106 rPSA-2007-0231-1 pcre (Google Search)
http://www.securityfocus.com/archive/1/archive/1/483357/100/0/threaded
Bugtraq: 20071112 FLEA-2007-0064-1 pcre (Google Search)
http://www.securityfocus.com/archive/1/archive/1/483579/100/0/threaded
http://mail.gnome.org/archives/gtk-devel-list/2007-November/msg00022.html
http://bugs.gentoo.org/show_bug.cgi?id=198976
http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
Debian Security Information: DSA-1399 (Google Search)
http://www.debian.org/security/2007/dsa-1399
Debian Security Information: DSA-1570 (Google Search)
http://www.debian.org/security/2008/dsa-1570
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00181.html
http://security.gentoo.org/glsa/glsa-200711-30.xml
http://security.gentoo.org/glsa/glsa-200801-02.xml
http://security.gentoo.org/glsa/glsa-200801-18.xml
http://security.gentoo.org/glsa/glsa-200801-19.xml
http://security.gentoo.org/glsa/glsa-200805-11.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2007:211
http://www.mandriva.com/security/advisories?name=MDKSA-2007:212
http://www.mandriva.com/security/advisories?name=MDVSA-2008:030
http://www.redhat.com/support/errata/RHSA-2007-0967.html
http://www.redhat.com/support/errata/RHSA-2007-1068.html
SuSE Security Announcement: SUSE-SA:2007:062 (Google Search)
http://www.novell.com/linux/security/advisories/2007_62_pcre.html
SuSE Security Announcement: SUSE-SR:2007:025 (Google Search)
http://www.novell.com/linux/security/advisories/2007_25_sr.html
SuSE Security Announcement: SUSE-SA:2008:004 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-01/msg00006.html
http://www.ubuntulinux.org/support/documentation/usn/usn-547-1
Cert/CC Advisory: TA07-352A
http://www.us-cert.gov/cas/techalerts/TA07-352A.html
BugTraq ID: 26346
http://www.securityfocus.com/bid/26346
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9725
http://www.vupen.com/english/advisories/2007/3725
http://www.vupen.com/english/advisories/2007/3790
http://www.vupen.com/english/advisories/2007/4238
http://www.vupen.com/english/advisories/2008/0924/references
http://securitytracker.com/id?1018895
http://secunia.com/advisories/27598
http://secunia.com/advisories/27538
http://secunia.com/advisories/27543
http://secunia.com/advisories/27547
http://secunia.com/advisories/27554
http://secunia.com/advisories/27741
http://secunia.com/advisories/27773
http://secunia.com/advisories/27697
http://secunia.com/advisories/28041
http://secunia.com/advisories/27965
http://secunia.com/advisories/28136
http://secunia.com/advisories/28406
http://secunia.com/advisories/28414
http://secunia.com/advisories/28658
http://secunia.com/advisories/28714
http://secunia.com/advisories/28720
http://secunia.com/advisories/29267
http://secunia.com/advisories/29420
http://secunia.com/advisories/30155
http://secunia.com/advisories/30219
http://secunia.com/advisories/30106
XForce ISS Database: pcre-regex-code-execution(38272)
http://xforce.iss.net/xforce/xfdb/38272
Common Vulnerability Exposure (CVE) ID: CVE-2007-1660
Bugtraq: 20080416 VMSA-2008-0007 Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus (Google Search)
http://www.securityfocus.com/archive/1/archive/1/490917/100/0/threaded
http://lists.vmware.com/pipermail/security-announce/2008/000014.html
http://www.mandriva.com/security/advisories?name=MDKSA-2007:213
http://www.redhat.com/support/errata/RHSA-2007-0968.html
http://www.redhat.com/support/errata/RHSA-2007-1063.html
http://www.redhat.com/support/errata/RHSA-2007-1065.html
http://www.redhat.com/support/errata/RHSA-2008-0546.html
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10562
http://www.vupen.com/english/advisories/2008/1234/references
http://secunia.com/advisories/27862
http://secunia.com/advisories/27776
http://secunia.com/advisories/29785
http://secunia.com/advisories/31124
XForce ISS Database: pcre-character-class-dos(38273)
http://xforce.iss.net/xforce/xfdb/38273
Common Vulnerability Exposure (CVE) ID: CVE-2007-1661
XForce ISS Database: pcre-nonutf8-dos(38274)
http://xforce.iss.net/xforce/xfdb/38274
Common Vulnerability Exposure (CVE) ID: CVE-2007-1662
XForce ISS Database: pcre-unmatched-dos(38275)
http://xforce.iss.net/xforce/xfdb/38275
Common Vulnerability Exposure (CVE) ID: CVE-2007-4766
XForce ISS Database: pcre-escape-sequence-overflow(38276)
http://xforce.iss.net/xforce/xfdb/38276
Common Vulnerability Exposure (CVE) ID: CVE-2007-4767
XForce ISS Database: pcre-p-sequence-bo(38277)
http://xforce.iss.net/xforce/xfdb/38277
Common Vulnerability Exposure (CVE) ID: CVE-2007-4768
http://www.gentoo.org/security/en/glsa/glsa-200801-07.xml
http://www.redhat.com/support/errata/RHSA-2007-1126.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238305-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239286-1
SuSE Security Announcement: SUSE-SA:2007:069 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00007.html
Cert/CC Advisory: TA07-355A
http://www.us-cert.gov/cas/techalerts/TA07-355A.html
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9701
http://www.vupen.com/english/advisories/2007/4258
http://www.vupen.com/english/advisories/2008/1724/references
http://www.vupen.com/english/advisories/2008/1966/references
http://securitytracker.com/id?1019116
http://secunia.com/advisories/28157
http://secunia.com/advisories/28161
http://secunia.com/advisories/28570
http://secunia.com/advisories/28213
http://secunia.com/advisories/30507
http://secunia.com/advisories/30840
XForce ISS Database: pcre-class-unicode-bo(38278)
http://xforce.iss.net/xforce/xfdb/38278
CopyrightCopyright (c) 2007 E-Soft Inc. http://www.securityspace.com

This is only one of 50192 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2016 E-Soft Inc. All rights reserved.