http://bugs.gentoo.org/show_bug.cgi?id=198976

SUSE-SA:2008:004

http://scary.beasts.org/security/CESA-2007-006.html

27582

27741

27773

27869

28406

28414

28658

28714

28720

30106

30155

30219

GLSA-200711-30

GLSA-200801-02

GLSA-200801-18

GLSA-200801-19

GLSA-200805-11

http://support.avaya.com/elmodocs2/security/ASA-2007-493.htm

DSA-1570

MDVSA-2008:030

SUSE-SA:2007:062

http://www.pcre.org/changelog.txt

RHSA-2007:1052

26462

oval:org.mitre.oval:def:10408

From Red Hat Security Advisory 2007:1052 :

Updated pcre packages that correct security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

[Updated 15 November 2007] Further analysis of these flaws in PCRE has led to the single CVE identifier CVE-2006-7224 being split into three separate identifiers and a re-analysis of the risk of each of the flaws. We are therefore updating the text of this advisory to use the correct CVE names for the two flaws fixed by these erratum packages, and downgrading the security impact of this advisory from critical to important. No changes have been made to the packages themselves.

PCRE is a Perl-compatible regular expression library.

Flaws were found in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may be possible to run arbitrary code as the user running the application. (CVE-2005-4872, CVE-2006-7227)

Users of PCRE are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.

This importance of this has been reduced to 'Important' We have renumbered the release for SL5 so that it doesn't conflict with the previous pcre security update.

This update fixes multiple bugs in php :

  - several problems in pcre (CVE-2007-1660, CVE-2006-7225,     CVE-2006-7224, CVE-2006-7226 CVE-2007-1659,     CVE-2006-7230)

  - Flaws in processing multi byte sequences in     htmlentities/htmlspecialchars. (CVE-2007-5898)

  - overly long arguments to the dl() function could crash     php. (CVE-2007-4825)

  - overy long arguments to the glob() function could crash     php. (CVE-2007-4782)

  - overly long arguments to some iconv functions could     crash php. (CVE-2007-4840)

  - overy long arguments to the setlocale() function could     crash php. (CVE-2007-4784)

  - the wordwrap-Function could cause a floating point     exception. (CVE-2007-3998)

  - overy long arguments to the fnmatch() function could     crash php. (CVE-2007-4782)

  - incorrect size calculation in the chunk_split function     could lead to a buffer overflow. (CVE-2007-4661,     CVE-2007-2872)

  - Flaws in the GD extension could lead to integer     overflows. (CVE-2007-3996)

  - The money_format function contained format string flaws.
    (CVE-2007-4658)

Apache2 contains a copy of the pcre library. Specially crafted regular expressions could lead to a buffer overflow in the pcre library.
Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code. (CVE-2006-7224, CVE-2007-1660)

Updated pcre packages that correct security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

[Updated 15 November 2007] Further analysis of these flaws in PCRE has led to the single CVE identifier CVE-2006-7224 being split into three separate identifiers and a re-analysis of the risk of each of the flaws. We are therefore updating the text of this advisory to use the correct CVE names for the two flaws fixed by these erratum packages, and downgrading the security impact of this advisory from critical to important. No changes have been made to the packages themselves.

PCRE is a Perl-compatible regular expression library.

Flaws were found in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may be possible to run arbitrary code as the user running the application. (CVE-2005-4872, CVE-2006-7227)

Users of PCRE are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.

Andrews Salomon reported that kazehakase, a GTK+-based web browser that allows pluggable rendering engines, contained an embedded copy of the PCRE library in its source tree which was compiled in and used in preference to the system-wide version of this library.

The PCRE library has been updated to fix the security issues reported against it in previous Debian Security Advisories. This update ensures that kazehakase uses that supported library, and not its own embedded and insecure version.

This update fixes multiple bugs in php :

  - use system pcre library to fix several pcre     vulnerabilities (CVE-2007-1659, CVE-2006-7230,     CVE-2007-1660, CVE-2006-7227 CVE-2005-4872,     CVE-2006-7228)

  - Flaws in processing multi byte sequences in     htmlentities/htmlspecialchars (CVE-2007-5898)

  - overly long arguments to the dl() function could crash     php (CVE-2007-4825)

  - overy long arguments to the glob() function could crash     php (CVE-2007-4782)

  - overly long arguments to some iconv functions could     crash php (CVE-2007-4840)

  - overy long arguments to the setlocale() function could     crash php (CVE-2007-4784)

  - the wordwrap-Function could cause a floating point     exception (CVE-2007-3998)

  - overy long arguments to the fnmatch() function could     crash php (CVE-2007-4782)

  - incorrect size calculation in the chunk_split function     could lead to a buffer overflow (CVE-2007-4661)

  - Flaws in the GD extension could lead to integer     overflows (CVE-2007-3996)

  - The money_format function contained format string flaws     (CVE-2007-4658)

  - Data for some time zones has been updated

This update fixes multiple bugs in php :

  - use system pcre library to fix several pcre     vulnerabilities. (CVE-2007-1659 / CVE-2006-7230 /     CVE-2007-1660 / CVE-2006-7227 / CVE-2005-4872 /     CVE-2006-7228)

  - Flaws in processing multi byte sequences in     htmlentities/htmlspecialchars. (CVE-2007-5898)

  - overly long arguments to the dl() function could crash     php. (CVE-2007-4825)

  - overy long arguments to the glob() function could crash     php. (CVE-2007-4782)

  - overly long arguments to some iconv functions could     crash php. (CVE-2007-4840)

  - overy long arguments to the setlocale() function could     crash php. (CVE-2007-4784)

  - the wordwrap-Function could cause a floating point     exception. (CVE-2007-3998)

  - overy long arguments to the fnmatch() function could     crash php. (CVE-2007-4782)

  - incorrect size calculation in the chunk_split function     could lead to a buffer overflow. (CVE-2007-4661)

  - Flaws in the GD extension could lead to integer     overflows. (CVE-2007-3996)

  - The money_format function contained format string flaws.
    (CVE-2007-4658)

  - Data for some time zones has been updated

The remote host is affected by the vulnerability described in GLSA-200711-30 (PCRE: Multiple vulnerabilities)

    Tavis Ormandy (Google Security) discovered multiple vulnerabilities in     PCRE. He reported an error when processing '\\Q\\E' sequences with     unmatched '\\E' codes that can lead to the compiled bytecode being     corrupted (CVE-2007-1659). PCRE does not properly calculate sizes for     unspecified 'multiple forms of character class', which triggers a     buffer overflow (CVE-2007-1660). Further improper calculations of     memory boundaries were reported when matching certain input bytes     against regex patterns in non UTF-8 mode (CVE-2007-1661) and when     searching for unmatched brackets or parentheses (CVE-2007-1662).
    Multiple integer overflows when processing escape sequences may lead to     invalid memory read operations or potentially cause heap-based buffer     overflows (CVE-2007-4766). PCRE does not properly handle '\\P' and     '\\P{x}' sequences which can lead to heap-based buffer overflows or     trigger the execution of infinite loops (CVE-2007-4767), PCRE is also     prone to an error when optimizing character classes containing a     singleton UTF-8 sequence which might lead to a heap-based buffer     overflow (CVE-2007-4768).
    Chris Evans also reported multiple integer overflow vulnerabilities in     PCRE when processing a large number of named subpatterns ('name_count')     or long subpattern names ('max_name_size') (CVE-2006-7227), and via     large 'min', 'max', or 'duplength' values (CVE-2006-7228) both possibly     leading to buffer overflows. Another vulnerability was reported when     compiling patterns where the '-x' or '-i' UTF-8 options change within     the pattern, which might lead to improper memory calculations     (CVE-2006-7230).
  Impact :

    An attacker could exploit these vulnerabilities by sending specially     crafted regular expressions to applications making use of the PCRE     library, which could possibly lead to the execution of arbitrary code,     a Denial of Service or the disclosure of sensitive information.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities were discovered by Tavis Ormandy and Will Drewry in the way that pcre handled certain malformed regular expressions. If an application linked against pcre, such as Konqueror, parses a malicious regular expression, it could lead to the execution of arbitrary code as the user running the application.

Updated packages have been patched to prevent this issue.
Additionally, Corporate Server 4.0 was updated to pcre version 6.7 which corrected CVE-2006-7225, CVE-2006-7226, CVE-2006-7227, CVE-2006-7228, and CVE-2006-7230.

ID	Name	Product	Family	Severity
67610	Oracle Linux 4 : pcre (ELSA-2007-1052)	Nessus	Oracle Linux Local Security Checks	medium
60298	Scientific Linux Security Update : pcre on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
41187	SuSE9 Security Update : PHP4 (YOU Patch Number 12049)	Nessus	SuSE Local Security Checks	high
41170	SuSE9 Security Update : Apache 2 (YOU Patch Number 12000)	Nessus	SuSE Local Security Checks	medium
37163	CentOS 4 : pcre (CESA-2007:1052)	Nessus	CentOS Local Security Checks	medium
32144	Debian DSA-1570-1 : kazehakase - various	Nessus	Debian Local Security Checks	high
29878	openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-4810)	Nessus	SuSE Local Security Checks	high
29780	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 4808)	Nessus	SuSE Local Security Checks	high
28319	GLSA-200711-30 : PCRE: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
28169	RHEL 4 / 5 : pcre (RHSA-2007:1052)	Nessus	Red Hat Local Security Checks	medium
27849	Mandrake Linux Security Advisory : pcre (MDKSA-2007:212)	Nessus	Mandriva Local Security Checks	high

CVE-2006-7227

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

high

medium

medium

high

high

high

high

medium

high