Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 1399-1 (pcre3)
The remote host is missing an update to pcre3
announced via advisory DSA 1399-1.

Tavis Ormandy of the Google Security Team has discovered several
security issues in PCRE, the Perl-Compatible Regular Expression library,
which potentially allow attackers to execute arbitrary code by compiling
specially crafted regular expressions.

Version 7.0 of the PCRE library featured a major rewrite of the regular
expression compiler, and it was deemed infeasible to backport the
security fixes in version 7.3 to the versions in Debian's stable and
oldstable distributions (6.7 and 4.5, respectively). Therefore, this
update contains version 7.3, with special patches to improve the
compatibility with the older versions. As a result, extra care is
necessary when applying this update.

The Common Vulnerabilities and Exposures project identifies the
following problems:


Unmatched \Q\E sequences with orphan \E codes can cause the compiled
regex to become desynchronized, resulting in corrupt bytecode that may
result in multiple exploitable conditions.


Multiple forms of character class had their sizes miscalculated on
initial passes, resulting in too little memory being allocated.


Multiple patterns of the form \X?\d or \P{L}?\d in non-UTF-8 mode
could backtrack before the start of the string, possibly leaking
information from the address space, or causing a crash by reading out
of bounds.


A number of routines can be fooled into reading past the end of an
string looking for unmatched parentheses or brackets, resulting in a
denial of service.


Multiple integer overflows in the processing of escape sequences could
result in heap overflows or out of bounds reads/writes.


Multiple infinite loops and heap overflows were disovered in the
handling of \P and \P{x} sequences, where the length of these
non-standard operations was mishandled.


Character classes containing a lone unicode sequence were incorrectly
optimised, resulting in a heap overflow.

For the stable distribution (etch), these problems have been fixed in
version 6.7+7.4-2.

For the old stable distribution (sarge), these problems have been fixed in
version 4.5+7.4-1.

For the unstable distribution (sid), these problems have been fixed in
version 7.3-1.


CVSS Score:

CVSS Vector:

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2007-1659
BugTraq ID: 26346
Bugtraq: 20071106 rPSA-2007-0231-1 pcre (Google Search)
Bugtraq: 20071112 FLEA-2007-0064-1 pcre (Google Search)
Cert/CC Advisory: TA07-352A
Debian Security Information: DSA-1399 (Google Search)
Debian Security Information: DSA-1570 (Google Search)
SuSE Security Announcement: SUSE-SA:2007:062 (Google Search)
SuSE Security Announcement: SUSE-SA:2008:004 (Google Search)
SuSE Security Announcement: SUSE-SR:2007:025 (Google Search)
XForce ISS Database: pcre-regex-code-execution(38272)
Common Vulnerability Exposure (CVE) ID: CVE-2007-1660
Bugtraq: 20080416 VMSA-2008-0007 Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus (Google Search)
XForce ISS Database: pcre-character-class-dos(38273)
Common Vulnerability Exposure (CVE) ID: CVE-2007-1661
XForce ISS Database: pcre-nonutf8-dos(38274)
Common Vulnerability Exposure (CVE) ID: CVE-2007-1662
XForce ISS Database: pcre-unmatched-dos(38275)
Common Vulnerability Exposure (CVE) ID: CVE-2007-4766
XForce ISS Database: pcre-escape-sequence-overflow(38276)
Common Vulnerability Exposure (CVE) ID: CVE-2007-4767
XForce ISS Database: pcre-p-sequence-bo(38277)
Common Vulnerability Exposure (CVE) ID: CVE-2007-4768
Cert/CC Advisory: TA07-355A
SuSE Security Announcement: SUSE-SA:2007:069 (Google Search)
XForce ISS Database: pcre-class-unicode-bo(38278)
CopyrightCopyright (c) 2007 E-Soft Inc.

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

© 1998-2022 E-Soft Inc. All rights reserved.