22 Feb 20:31
Re: libpre3 stack overflow
From: Christian Hoffmann <christian <at> hoffie.info>
Subject: Re: libpre3 stack overflow
Newsgroups: gmane.comp.web.lighttpd
Date: 2008-02-22 19:31:07 GMT
Subject: Re: libpre3 stack overflow
Newsgroups: gmane.comp.web.lighttpd
Date: 2008-02-22 19:31:07 GMT
On 2008-02-22 20:25, Andy Wright wrote:
> Their is a security update for libpre3 and devel packages for Ubuntu
> Server 6.06:
>
> Version 7.4-0ubuntu0.7.04.2:
>
> * SECURITY UPDATE: stack overflow when handling long UTF8 strings.
> * pcre_compile.c, testdata/test{in,out}put4: upstream changes from 7.6
> backported, thanks to Tomas Hoger and Florian Weimer.
> * References
> CVE-2008-0674
>
> I compile lighttpd from source, should I be overly concerned with the
> previous build without this fix?
No, updating the system pcre library is sufficient, usually. It would
only be a problem if you created a static lighttpd executable (which is
non-default and does not really make sense for normal systems).
In this special case, the vulnerability is not a problem for lighttpd
anyway -- lighty uses regular expressions in mod_re{write,direct} and =~
conditionals. In all those cases the patterns are created by you (and
not by a possibly malicious user), but for successful exploitation of
this vulnerability the attacker needs access to the patterrn.
It's PCRE and not PRE btw ;)
--
--
Christian Hoffmann
RSS Feed