SUSE-SA:2008:004

28041

28658

http://support.avaya.com/elmodocs2/security/ASA-2007-505.htm

MDVSA-2008:030

http://www.pcre.org/changelog.txt

RHSA-2007:1059

RHSA-2007:1068

26727

https://bugzilla.redhat.com/show_bug.cgi?id=384781

pcre-library-subpattern-dos(40020)

oval:org.mitre.oval:def:11545

From Red Hat Security Advisory 2007:1068 :

Updated pcre packages that resolve several security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

PCRE is a Perl-compatible regular expression library.

Flaws were discovered in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may have been possible to run arbitrary code as the user running the application.
(CVE-2006-7225, CVE-2006-7226, CVE-2006-7228, CVE-2006-7230, CVE-2007-1659)

Users of PCRE are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Red Hat would like to thank Ludwig Nussel for reporting these issues.

From Red Hat Security Advisory 2007:1059 :

Updated pcre packages that resolve several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

PCRE is a Perl-compatible regular expression library.

Flaws were discovered in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may have been possible to run arbitrary code as the user running the application.
(CVE-2006-7225, CVE-2006-7226, CVE-2006-7228, CVE-2006-7230)

Users of PCRE are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Red Hat would like to thank Ludwig Nussel for reporting these issues.

Updated pcre packages that resolve several security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

PCRE is a Perl-compatible regular expression library.

Flaws were discovered in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may have been possible to run arbitrary code as the user running the application.
(CVE-2006-7225, CVE-2006-7226, CVE-2006-7228, CVE-2006-7230, CVE-2007-1659)

Users of PCRE are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Red Hat would like to thank Ludwig Nussel for reporting these issues.

Flaws were discovered in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parsed a malicious regular expression, it may have been possible to run arbitrary code as the user running the application.
(CVE-2006-7225, CVE-2006-7226, CVE-2006-7228, CVE-2006-7230, CVE-2007-1660)

This update fixes multiple bugs in php :

  - several problems in pcre (CVE-2007-1660, CVE-2006-7225,     CVE-2006-7224, CVE-2006-7226 CVE-2007-1659,     CVE-2006-7230)

  - Flaws in processing multi byte sequences in     htmlentities/htmlspecialchars. (CVE-2007-5898)

  - overly long arguments to the dl() function could crash     php. (CVE-2007-4825)

  - overy long arguments to the glob() function could crash     php. (CVE-2007-4782)

  - overly long arguments to some iconv functions could     crash php. (CVE-2007-4840)

  - overy long arguments to the setlocale() function could     crash php. (CVE-2007-4784)

  - the wordwrap-Function could cause a floating point     exception. (CVE-2007-3998)

  - overy long arguments to the fnmatch() function could     crash php. (CVE-2007-4782)

  - incorrect size calculation in the chunk_split function     could lead to a buffer overflow. (CVE-2007-4661,     CVE-2007-2872)

  - Flaws in the GD extension could lead to integer     overflows. (CVE-2007-3996)

  - The money_format function contained format string flaws.
    (CVE-2007-4658)

Specially crafted regular expressions could lead to a buffer overflow in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code. (CVE-2006-7224 / CVE-2006-7225 / CVE-2006-7226 / CVE-2007-1659 / CVE-2007-1660)

Updated pcre packages that resolve several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

PCRE is a Perl-compatible regular expression library.

Flaws were discovered in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may have been possible to run arbitrary code as the user running the application.
(CVE-2006-7225, CVE-2006-7226, CVE-2006-7228, CVE-2006-7230)

Users of PCRE are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Red Hat would like to thank Ludwig Nussel for reporting these issues.

Specially crafted regular expressions could lead to a buffer overflow in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code (CVE-2006-7224, CVE-2006-7225, CVE-2006-7226, CVE-2007-1659, CVE-2007-1660).

Multiple vulnerabilities were discovered by Tavis Ormandy and Will Drewry in the way that pcre handled certain malformed regular expressions. If an application linked against pcre, such as Konqueror, parses a malicious regular expression, it could lead to the execution of arbitrary code as the user running the application.

Updated packages have been patched to prevent this issue.
Additionally, Corporate Server 4.0 was updated to pcre version 6.7 which corrected CVE-2006-7225, CVE-2006-7226, CVE-2006-7227, CVE-2006-7228, and CVE-2006-7230.

ID	Name	Product	Family	Severity
67613	Oracle Linux 4 : pcre (ELSA-2007-1068)	Nessus	Oracle Linux Local Security Checks	medium
67611	Oracle Linux 5 : pcre (ELSA-2007-1059)	Nessus	Oracle Linux Local Security Checks	medium
67061	CentOS 4 : pcre (CESA-2007:1068)	Nessus	CentOS Local Security Checks	medium
65042	Scientific Linux Security Update : pcre on SL4.x, SL3.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
41187	SuSE9 Security Update : PHP4 (YOU Patch Number 12049)	Nessus	SuSE Local Security Checks	high
29547	SuSE 10 Security Update : pcre (ZYPP Patch Number 4689)	Nessus	SuSE Local Security Checks	medium
28367	RHEL 4 : pcre (RHSA-2007:1068)	Nessus	Red Hat Local Security Checks	medium
28364	RHEL 5 : pcre (RHSA-2007:1059)	Nessus	Red Hat Local Security Checks	medium
28284	openSUSE 10 Security Update : pcre (pcre-4696)	Nessus	SuSE Local Security Checks	medium
27849	Mandrake Linux Security Advisory : pcre (MDKSA-2007:212)	Nessus	Mandriva Local Security Checks	high

CVE-2006-7226

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

medium

medium

medium

high

medium

medium

medium

medium

high