209293 2008-02-07 20:50 0000 dev-libs/glib-2.14.6 fixes potential buffer overflow in included pcre copy 2008-03-19 23:04:37 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED C1 [glsa] STABLEREQ P2 normal --- 209067 1 leio@gentoo.org security@gentoo.org arm@gentoo.org gnome@gentoo.org m68k@gentoo.org s390@gentoo.org sh@gentoo.org leio@gentoo.org 2008-02-07 20:50:58 0000 Per bug 209067 libpcre-7.6 fixes a buffer overflow issue: 1. A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow. dev-libs/glib includes a copy of libpcre since 2.14.0 that we also use (instead of the system pcre) for GRegex API due to the copy including patches useful for GRegex, but not yet in pcre. Therefore glib is affected by this as well, for glib users that use the GRegex API. The internal copy of pcre has been updated to 7.6 in glib-2.14.6 and it is also now in the portage tree. Security team: glib from 2.14.0 through 2.14.5 is vulnerable to this bug, while 2.14.6 is fixed with the update of the copy and earlier (2.12.* and earlier) did not have GRegex and included pcre. Arch teams: please stabilize glib-2.14.6 - it's only changes compared to glib-2.14.5 are the updated pcre and a couple translation updates. maekke@gentoo.org 2008-02-07 21:10:55 0000 x86 stable ranger@gentoo.org 2008-02-08 00:04:52 0000 ppc64 stable ranger@gentoo.org 2008-02-08 00:12:24 0000 ppc64 stable dertobi123@gentoo.org 2008-02-08 08:31:24 0000 ppc stable jer@gentoo.org 2008-02-08 14:00:41 0000 Stable for HPPA. armin76@gentoo.org 2008-02-08 15:54:08 0000 alpha/ia64/sparc stable tester@gentoo.org 2008-02-10 22:12:43 0000 amd64 done jaervosz@gentoo.org 2008-02-11 20:28:51 0000 AFAIK impact is still unknown for PCRE. pva@gentoo.org 2008-02-23 17:28:41 0000 Fixed in release snapshot. rbu@gentoo.org 2008-03-04 14:21:39 0000 glsa together with bug 209067. keytoaster@gentoo.org 2008-03-19 23:04:37 0000 GLSA 200803-24