[Fwd: [SECURITY] [DSA 817-1] New python2.2 packages fix arbitrary code execution]
David Eisenstein
deisenst at gtw.net
Sat Sep 24 10:55:43 UTC 2005
On Thu, 22 Sep 2005, Jim Popovitch wrote:
> <<snip>>>
> If no one else responds with any data, I'll do some research and log any
> necessary bugs.
> -Jim P.
I think we're vulnerable to this in our distros.
>From CAN-2005-2491:
"Integer overflow in pcre_compile.c in Perl Compatible Regular
Expressions (PCRE) before 6.2, as used in multiple products, allows
attackers to execute arbitrary code via quantifier values in regular
expressions, which leads to a heap-based buffer overflow."
* pcre library (FL bug already opened: Bugzilla # 168516):
Ref: Bugzilla 166330 (RHEL) - CAN-2005-2491 PCRE heap overflow
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166330>
Ref: RHSA-2005:761 - Moderate: pcre security update
<http://rhn.redhat.com/errata/RHSA-2005-761.html>).
Ref: FEDORA-2005-802, Fedora Core 3 Update: pcre-4.5-3.1.1.fc3
Notification at <http://tinyurl.com/ajafx>
Ref: FEDORA-2005-803, Fedora Core 4 Update: pcre-5.0-4.1.fc4
Notification at <http://tinyurl.com/cv94u>
Our affected Packages:
RH7.3: 265407 Apr 17 2002 pcre-3.9-2.src.rpm
RH9: 266725 Feb 24 2003 pcre-3.9-10.src.rpm
FC1: 346767 Oct 28 2003 pcre-4.4-1.src.rpm
FC2: 355225 May 06 2004 pcre-4.5-2.src.rpm
* python
Ref: Bugzilla 166335 (RHEL) - CAN-2005-2491 PCRE heap overflow
Ref: Bugzilla 168318 (FC3) - CAN-2005-2491 PCRE heap overflow
-- Looks like RH Security team is assessing Python's vulnera-
bility to this. Both Bugzilla items are still open.
-- FL already has Python Bugzilla, # 152897, for another issue.
Maybe we could fold this one in with it, if this is truly
a vulnerability.
Our potentially affected packages:
RH7.3 updates: 3296238 Feb 12 2003 python-1.5.2-43.73.src.rpm
RH7.3 updates: 6954498 Feb 12 2003 python2-2.2.2-11.7.3.src.rpm
RH9: 6968043 Feb 25 2003 python-2.2.2-26.src.rpm
FC1: 7008684 Jan 06 2004 python-2.2.3-7.src.rpm
FC2: 7503689 May 07 2004 python-2.3.3-6.src.rpm
More information about the fedora-legacy-list
mailing list