PCRE Heap Overflow May Let Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014744 |
|
SecurityTracker URL: http://securitytracker.com/id/1014744
|
|
CVE Reference:
CVE-2005-2491
(Links to External Site)
|
Updated: Mar 10 2006
|
Original Entry Date: Aug 20 2005
|
Impact:
Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 6.1 and prior versions
|
Description:
A vulnerability was reported in the PCRE library. A remote or local user may be able to execute arbitrary code on the target system.
A remote or local user may be able to supply a specially crafted regular expression to trigger a heap integer overflow in PCRE.
The impact depends on the application that uses the library. Applications that parse untrusted regular expressions may be vulnerable.
The flaw resides in 'pcre_compile.c' where certain quantifier values are not properly validated to ensure the proper values.
|
Impact:
The specific impact depends on the applications that use PCRE.
|
Solution:
The vendor has issued a fixed version (6.2), available at:
http://www.pcre.org/
Red Hat has issued a fix for Red Hat Enterprise Linux:
https://rhn.redhat.com/errata/RHSA-2005-761.html
Red Hat has issued a fix for Exim for Red Hat Enterprise Linux, which is affected by this PCRE vulnerability:
https://rhn.redhat.com/errata/RHSA-2005-358.html
|
Vendor URL: www.pcre.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
