libpre3 stack overflow

Their is a security update for libpre3 and devel packages
for Ubuntu
Server 6.06:

Version 7.4-0ubuntu0.7.04.2: 

  * SECURITY UPDATE: stack overflow when handling long UTF8
strings.
  * pcre_compile.c, testdata/test{in,out}put4: upstream
changes from 7.6
    backported, thanks to Tomas Hoger and Florian Weimer.
  * References
    CVE-2008-0674

I compile lighttpd from source, should I be overly concerned
with the
previous build without this fix?
-- 
                                  
___________________________________
Andy Wright                                  andy.wrightextracted.org
IT/IS Professional                         For public and
private use.
IT/IS Forum # (608)554-0030 VM                         KEY
ID 7CECF855 
Open Forum Skype: extracted              http://7cecf855.extract
ed.org    
Thanks BB, "water is wet"
                                    ALTERNATIVE:
andy.wrightyahoo.com
                                  
___________________________________

On 2008-02-22 20:25, Andy Wright wrote:
> Their is a security update for libpre3 and devel
packages for Ubuntu
> Server 6.06:
> 
> Version 7.4-0ubuntu0.7.04.2: 
> 
>   * SECURITY UPDATE: stack overflow when handling long
UTF8 strings.
>   * pcre_compile.c, testdata/test{in,out}put4: upstream
changes from 7.6
>     backported, thanks to Tomas Hoger and Florian
Weimer.
>   * References
>     CVE-2008-0674
> 
> I compile lighttpd from source, should I be overly
concerned with the
> previous build without this fix?
No, updating the system pcre library is sufficient, usually.
It would 
only be a problem if you created a static lighttpd
executable (which is 
non-default and does not really make sense for normal
systems).

In this special case, the vulnerability is not a problem for
lighttpd 
anyway -- lighty uses regular expressions in
mod_re{write,direct} and =~ 
conditionals. In all those cases the patterns are created by
you (and 
not by a possibly malicious user), but for successful
exploitation of 
this vulnerability the attacker needs access to the
patterrn.

It's PCRE and not PRE btw ;)


-- 
Christian Hoffmann

On Fri, 2008-02-22 at 20:31 +0100, Christian Hoffmann
wrote:
> On 2008-02-22 20:25, Andy Wright wrote:
> > Their is a security update for libpre3 and devel
packages for Ubuntu
> > Server 6.06:
> > 
> > Version 7.4-0ubuntu0.7.04.2: 
> > 
> >   * SECURITY UPDATE: stack overflow when handling
long UTF8 strings.
> >   * pcre_compile.c, testdata/test{in,out}put4:
upstream changes from 7.6
> >     backported, thanks to Tomas Hoger and Florian
Weimer.
> >   * References
> >     CVE-2008-0674
> > 
> > I compile lighttpd from source, should I be overly
concerned with the
> > previous build without this fix?
> No, updating the system pcre library is sufficient,
usually. It would 
> only be a problem if you created a static lighttpd
executable (which is 
> non-default and does not really make sense for normal
systems).
> 
> In this special case, the vulnerability is not a
problem for lighttpd 
> anyway -- lighty uses regular expressions in
mod_re{write,direct} and =~ 
> conditionals. In all those cases the patterns are
created by you (and 
> not by a possibly malicious user), but for successful
exploitation of 
> this vulnerability the attacker needs access to the
patterrn.
> 
> It's PCRE and not PRE btw ;)
> 

I seam to be seeing double on this mailing list.  My eyes
just needed to
adjust.  That's my excuse! :-D
-- 
                                  
___________________________________
Andy Wright                                  andy.wrightextracted.org
IT/IS Professional                         For public and
private use.
IT/IS Forum # (608)554-0030 VM                         KEY
ID 7CECF855 
Open Forum Skype: extracted              http://7cecf855.extract
ed.org    
Thanks BB, "water is wet"
                                    ALTERNATIVE:
andy.wrightyahoo.com
                                  
___________________________________