CVE-2007-4767

Name	CVE-2007-4767
Description	Perl-Compatible Regular Expression (PCRE) library before 7.3 does not properly compute the length of (1) a \p sequence, (2) a \P sequence, or (3) a \P{x} sequence, which allows context-dependent attackers to cause a denial of service (infinite loop or crash) or execute arbitrary code.
Source	CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
References	DSA-1399-1, DSA-1570-1, DTSA-77-1
NVD severity	medium (attack range: remote)
Debian/oldstable	not vulnerable.
Debian/stable	not vulnerable.
Debian/testing	not vulnerable.
Debian/unstable	not vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
glib2.0 (PTS)	squeeze	2.24.2-1	fixed
	wheezy	2.33.12+really2.32.4-5	fixed
	jessie, sid	2.42.1-1	fixed
kazehakase (PTS)	squeeze	0.5.8-4	fixed
pcre3 (PTS)	squeeze	8.02-1.1	fixed
	wheezy	1:8.30-5	fixed
	jessie, sid	2:8.35-3.3	fixed

The information above is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
glib2.0	source	(unstable)	2.14.3-1	unimportant
kazehakase	source	(unstable)	0.5.2-1	medium
kazehakase	source	etch	0.4.2-1etch1	medium	DSA-1570-1
pcre3	source	(unstable)	7.3-1	medium
pcre3	source	etch	6.7+7.4-2	medium	DSA-1399-1
pcre3	source	lenny	6.7+7.4-2+lenny1	medium	DTSA-77-1
pcre3	source	sarge	4.5+7.4-1	medium	DSA-1399-1

glib only embeds pcre in the udeb, no attack vector