Date: Fri, 29 Feb 2008 08:26:37 -0800 (PST) From: Nick Barkas <snb@threerings.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/121224: [patch] Add pcre vulnerability to security/vuxml Message-ID: <20080229162637.E458161E22@smtp.earth.threerings.net> Resent-Message-ID: <200802291630.m1TGU2EE054370@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 121224 >Category: ports >Synopsis: [patch] Add pcre vulnerability to security/vuxml >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Fri Feb 29 16:30:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 6.2-RELEASE-p11 i386 >Organization: Three Rings Design, Inc. >Environment: System: FreeBSD mail1.earth.threerings.net 6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11 #0: Wed Feb 13 07:00:04 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/SMP i386 >Description: PCRE versions before 7.6 are vulnerable to arbitrary code execution via a buffer overflow. The following patch adds this vulnerability to the VuXML document. >How-To-Repeat: >Fix: --- pcre_vuln.patch begins here --- --- vuln.xml.orig Wed Feb 27 17:41:13 2008 +++ vuln.xml Fri Feb 29 08:19:53 2008 @@ -34,6 +34,35 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="f9e96930-e6df-11dc-8c6a-00304881ac9a"> + <topic>pcre -- buffer overflow vulnerability</topic> + <affects> + <package> + <name>pcre</name> + <range><lt>7.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>PCRE developers report:</p> + <blockquote cite="http://pcre.org/changelog.txt">; + <p>A character class containing a very large number of characters with + codepoints greater than 255 (in UTF-8 mode, of course) caused a + buffer overflow.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2008-0674</cvename> + <bid>27786</bid> + <url>http://pcre.org/changelog.txt</url>; + </references> + <dates> + <discovery>2008-01-28</discovery> + <entry>2008-02-29</entry> + </dates> + </vuln> + <vuln vid="e8a6a16d-e498-11dc-bb89-000bcdc1757a"> <topic>libxine -- buffer overflow vulnerability</topic> <affects> --- pcre_vuln.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080229162637.E458161E22>