Home > Security > Advisories

Advisories

Mandriva Advisories

Package name gnumeric
Date August 26th, 2005
Advisory ID MDKSA-2005:153
Affected versions 10.1, CS3.0, 10.2
Synopsis Updated gnumeric packages fix integer overflow vulnerability

Problem Description

Integer overflow in pcre_compile.c in Perl Compatible Regular
Expressions (PCRE) before 6.2, as used in multiple products, allows
attackers to execute arbitrary code via quantifier values in regular
expressions, which leads to a heap-based buffer overflow.

The gnumeric packages use a private copy of pcre code.

The updated packages have been patched to correct this problem.

Updated Packages

Mandrakelinux 10.1

 0886c3abe93a6f99e9c388a2057678e2  10.1/RPMS/gnumeric-1.2.13-3.1.101mdk.i586.rpm
1f4b803c3a19763710cfb56b141fe4d2  10.1/SRPMS/gnumeric-1.2.13-3.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 e6371dd0e84c22a47d2be3146f6efe1e  x86_64/10.1/RPMS/gnumeric-1.2.13-3.1.101mdk.x86_64.rpm
1f4b803c3a19763710cfb56b141fe4d2  x86_64/10.1/SRPMS/gnumeric-1.2.13-3.1.101mdk.src.rpm

Corporate Server 3.0

 3510cf943ed010540a3659d23627f912  corporate/3.0/RPMS/gnumeric-1.2.6-1.1.C30mdk.i586.rpm
b296c5410c6bc28c2e5774d5024d3e43  corporate/3.0/SRPMS/gnumeric-1.2.6-1.1.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 58aedcd44337210db29fa0ee7123f7e0  x86_64/corporate/3.0/RPMS/gnumeric-1.2.6-1.1.C30mdk.x86_64.rpm
b296c5410c6bc28c2e5774d5024d3e43  x86_64/corporate/3.0/SRPMS/gnumeric-1.2.6-1.1.C30mdk.src.rpm

Mandriva Linux LE2005

 9ce2fee0efdaac36d6f84374da737f61  10.2/RPMS/gnumeric-1.4.2-1.1.102mdk.i586.rpm
de0c185642dea43227c2bd8d04b05c19  10.2/SRPMS/gnumeric-1.4.2-1.1.102mdk.src.rpm

Mandriva Linux LE2005/X86_64

 ebf2b9f3573524f8a956f6697f08efc9  x86_64/10.2/RPMS/gnumeric-1.4.2-1.1.102mdk.x86_64.rpm
de0c185642dea43227c2bd8d04b05c19  x86_64/10.2/SRPMS/gnumeric-1.4.2-1.1.102mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.