Slackware Updates: PHP, PCRE and Gaim

There are new Slackware packages available for PHP, PCRE and Gaim.

Here’s more info regarding the PHP update:

New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues. PHP has been relinked with the shared PCRE library to fix an overflow issue with PHP’s builtin PRCE code, and PEAR::XMLRPC has been upgraded to version 1.4.0 which eliminates the eval() function. The eval() function is believed to be insecure as implemented, and would be difficult to secure.

Note that these new packages now require that the PCRE package be installed, so be sure to get the new package from the patches/packages/ directory if you don’t already have it. A new version of this (6.3) was also issued today, so be sure that is the one you install.

More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498

Here’s some information on the related update of the PCRE lib:

New PCRE packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue. A buffer overflow could be triggered by a specially crafted regular expression. Any applications that use PCRE to process untrusted regular expressions may be exploited to run arbitrary code as the user running the application.

The PCRE library is also provided in an initial installation by the aaa_elflibs package, so if your system has a /usr/lib/libpcre.so.0 symlink, then you should install this updated package even if the PCRE package itself is not installed on the system.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491

Last but not least, here are details of the Gaim update:

New gaim packages are available for Slackware 9.0, 9.1, 10.0, 10.1, and -current to fix some security issues. including:

  • AIM/ICQ away message buffer overflow
  • AIM/ICQ non-UTF-8 filename crash
  • Gadu-Gadu memory alignment bug

Sites that use GAIM should upgrade to the new version.

More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370

Updated packages can be downloaded from the Slackware Package Browser or using automated package management tools like Swaret or slapt-get.