Re: libpre3 stack overflow

On Fri, 2008-02-22 at 20:31 +0100, Christian Hoffmann wrote:
> On 2008-02-22 20:25, Andy Wright wrote:
> > Their is a security update for libpre3 and devel packages for Ubuntu
> > Server 6.06:
> > 
> > Version 7.4-0ubuntu0.7.04.2: 
> > 
> >   * SECURITY UPDATE: stack overflow when handling long UTF8 strings.
> >   * pcre_compile.c, testdata/test{in,out}put4: upstream changes from 7.6
> >     backported, thanks to Tomas Hoger and Florian Weimer.
> >   * References
> >     CVE-2008-0674
> > 
> > I compile lighttpd from source, should I be overly concerned with the
> > previous build without this fix?
> No, updating the system pcre library is sufficient, usually. It would 
> only be a problem if you created a static lighttpd executable (which is 
> non-default and does not really make sense for normal systems).
> 
> In this special case, the vulnerability is not a problem for lighttpd 
> anyway -- lighty uses regular expressions in mod_re{write,direct} and =~ 
> conditionals. In all those cases the patterns are created by you (and 
> not by a possibly malicious user), but for successful exploitation of 
> this vulnerability the attacker needs access to the patterrn.
> 
> It's PCRE and not PRE btw ;)
> 

I seam to be seeing double on this mailing list.  My eyes just needed to
adjust.  That's my excuse! :-D
--

-- 
                                   ___________________________________
Andy Wright                                  andy.wright <at> extracted.org
IT/IS Professional                         For public and private use.
IT/IS Forum # (608)554-0030 VM                         KEY ID 7CECF855 
Open Forum Skype: extracted              http://7cecf855.extracted.org    
Thanks BB, "water is wet"
                                    ALTERNATIVE: andy.wright <at> yahoo.com
                                   ___________________________________