198983 2007-11-12 22:55 0000 www-client/kazehakase < 0.5.0 Multiple issues in embedded PCRE 2008-01-30 22:40:20 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27543/ B2 [glsa] P2 minor --- 198845 1 rbu@gentoo.org security@gentoo.org matsuu@gentoo.org mozilla@gentoo.org nakano@gentoo.org rbu@gentoo.org 2007-11-12 22:55:55 0000 Kazehakase ships a copy of PCRE which is vulnerable to several security issues as pointed out in bug #198198. Version 0.5.0 uses GRegEx as a regular expression engine, so it is unaffected. Maintainers, please advise on the following questions: * What is PCRE in Kazehakase used for? Especially: Can inputs come from outside (i.e. bookmark imports)? * Is 0.5.0 ok for stabling? matsuu@gentoo.org 2007-11-13 05:10:41 0000 pcre is used for incremental search by GRegex. its only enabled with migemo USE flag. kazehakase-0.5.0 is enough to stable, but it depends on >=x11-libs/gtk+-2.12. rbu@gentoo.org 2007-11-14 00:01:08 0000 Arches, please test and mark stable www-client/kazehakase-0.5.0. Target keywords : "amd64 ppc sparc x86" Please note the comment above, this needs to be done after you're off of bug 198845. fauli@gentoo.org 2007-11-14 07:56:35 0000 x86 stable astinus@gentoo.org 2007-11-14 15:31:39 0000 stable on amd64 armin76@gentoo.org 2007-11-15 15:12:48 0000 sparc stable dertobi123@gentoo.org 2007-11-18 11:12:24 0000 ppc stable rbu@gentoo.org 2007-11-18 14:21:49 0000 I'll set this [glsa?] because I'm still not sure if it is exploitable by remote attackers - Can someone send trick me into opening a file / link that might lead to execution of code? rbu@gentoo.org 2007-12-02 12:33:42 0000 (In reply to comment #7) > I'll set this [glsa?] because I'm still not sure if it is exploitable by remote > attackers - Can someone send trick me into opening a file / link that might > lead to execution of code? Matsuu? matsuu@gentoo.org 2007-12-04 10:33:40 0000 sorry I checked source code once again, and it seems that PCRE is used for migemo, history, and bookmark. I'm presently checking with upstream about it. http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html py@gentoo.org 2007-12-30 18:39:26 0000 (In reply to comment #9) > sorry > I checked source code once again, and it seems that PCRE is used for migemo, > history, and bookmark. > I'm presently checking with upstream about it. > http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html > Any news here? I don't speak japanese :) matsuu@gentoo.org 2007-12-31 11:04:09 0000 ah, sorry. in smart bookmark feature, GRegEX is used to body contents. so, perhaps it is exploitable by remote attackers. http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002775.html matsuu@gentoo.org 2007-12-31 11:08:17 0000 FYI: http://www.google.com/translate?u=http%3A%2F%2Flists.sourceforge.jp%2Fmailman%2Farchives%2Fkazehakase-devel%2F2007-December%2F002775.html&langpair=ja%7Cen jaervosz@gentoo.org 2008-01-06 18:14:45 0000 I tend to vote YES. rbu@gentoo.org 2008-01-06 23:02:35 0000 YES. filed. py@gentoo.org 2008-01-30 22:40:20 0000 GLSA 200801-18, sorry for the delay.