New PCRE packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue. A buffer overflow could be triggered by a specially crafted regular expression. Any applications that use PCRE to process untrusted regular expressions may be exploited to run arbitrary code as the user running the application.
The PCRE library is also provided in an initial installation by the aaa_elflibs package, so if your system has a /usr/lib/libpcre.so.0 symlink, then you should install this updated package even if the PCRE package itself is not installed on the system.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/pcre-6.3-i486-1.tgz: Upgraded to pcre-6.3.
This fixes a buffer overflow that could be triggered by the processing of a
specially crafted regular expression. Theoretically this could be a security
issue if regular expressions are accepted from untrusted users to be
processed by a user with greater privileges, but this doesn't seem like a
common scenario (or, for that matter, a good idea). However, if you are
using an application that links to the shared PCRE library and accepts
outside input in such a manner, you will want to update to this new package.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/pcre-6.3-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/pcre-6.3-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/pcre-6.3-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
6d4ea9a84341297ebb86a3d218ee6520 pcre-6.3-i386-1.tgz
Slackware 9.0 package:
539769e82bb6e03db449f4154d557e36 pcre-6.3-i386-1.tgz
Slackware 9.1 package:
bb49c4be6ba9c8ed19d4be7997da065a pcre-6.3-i486-1.tgz
Slackware 10.0 package:
591c6fce5c0084f668bab1ea3ada4ebe pcre-6.3-i486-1.tgz
Slackware 10.1 package:
8f5f604fd35876d397d4e2d4e4fe83a1 pcre-6.3-i486-1.tgz
Slackware -current package:
c699044b38a70720439ace1097e84013 pcre-6.3-i486-1.tgz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg pcre-6.3-i486-1.tgz
Then, restart any applications that use the PCRE library.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
The PCRE library is also provided in an initial installation by the aaa_elflibs package, so if your system has a /usr/lib/libpcre.so.0 symlink, then you should install this updated package even if the PCRE package itself is not installed on the system.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/pcre-6.3-i486-1.tgz: Upgraded to pcre-6.3.
This fixes a buffer overflow that could be triggered by the processing of a
specially crafted regular expression. Theoretically this could be a security
issue if regular expressions are accepted from untrusted users to be
processed by a user with greater privileges, but this doesn't seem like a
common scenario (or, for that matter, a good idea). However, if you are
using an application that links to the shared PCRE library and accepts
outside input in such a manner, you will want to update to this new package.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/pcre-6.3-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/pcre-6.3-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/pcre-6.3-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/pcre-6.3-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
6d4ea9a84341297ebb86a3d218ee6520 pcre-6.3-i386-1.tgz
Slackware 9.0 package:
539769e82bb6e03db449f4154d557e36 pcre-6.3-i386-1.tgz
Slackware 9.1 package:
bb49c4be6ba9c8ed19d4be7997da065a pcre-6.3-i486-1.tgz
Slackware 10.0 package:
591c6fce5c0084f668bab1ea3ada4ebe pcre-6.3-i486-1.tgz
Slackware 10.1 package:
8f5f604fd35876d397d4e2d4e4fe83a1 pcre-6.3-i486-1.tgz
Slackware -current package:
c699044b38a70720439ace1097e84013 pcre-6.3-i486-1.tgz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg pcre-6.3-i486-1.tgz
Then, restart any applications that use the PCRE library.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
