230039 2008-06-29 15:43 0000 dev-libs/glib <2.16.3-r1 PCRE Heap-based buffer overflow (CVE-2008-2371) 2008-07-07 20:35:49 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A2 [glsa] P2 normal --- 228091 1 rbu@gentoo.org security@gentoo.org arm@gentoo.org gnome@gentoo.org m68k@gentoo.org s390@gentoo.org sh@gentoo.org rbu@gentoo.org 2008-06-29 15:43:20 0000 +++ This bug was initially created as a clone of Bug #228091 +++ ** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Heap-based buffer overflow in PCRE as shipped by GLib, see blocker for details. leio@gentoo.org 2008-06-30 08:04:12 0000 Created an attachment (id=158919) Ebuild that applies the patch that fixes it leio@gentoo.org 2008-06-30 08:05:14 0000 Created an attachment (id=158921) The applied patch that fixes the heap-based buffer overflow leio@gentoo.org 2008-06-30 08:06:44 0000 Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : opfer fauli@gentoo.org 2008-06-30 10:02:03 0000 x86 good to go. yoswink@gentoo.org 2008-06-30 13:44:34 0000 In alpha: - compiles just fine with several USE flags combinations - tests passed Seems ok. armin76@gentoo.org 2008-06-30 14:58:34 0000 Looks okay on ia64/sparc jer@gentoo.org 2008-06-30 16:41:21 0000 OK for HPPA. rbu@gentoo.org 2008-06-30 20:52:54 0000 Lifting embargo, Gnome team please commit straight to stable for the arches that tested. welp@gentoo.org 2008-07-01 00:45:59 0000 Good to go on AMD64 too leio@gentoo.org 2008-07-01 02:14:27 0000 The ebuild has been added to the tree. =dev-libs/glib-2.16.3-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 sparc x86" Missing keywords: "arm m68k ppc ppc64 s390 sh" CCing the remaining arches. Please stabilize. Security@ - this is much less widespread through glib than pcre proper, so I believe "A2" status should not be an "A" at least. While glib is quite widely used, PCRE code is exposed only via the GRegex API, which is not used by many glib using packages. "B" perhaps as it's not a system package. I also don't know what the status whiteboard should be now corsair@gentoo.org 2008-07-01 05:27:21 0000 ppc64 stable rbu@gentoo.org 2008-07-01 08:27:38 0000 As for whiteboard, the question should be: Is there at least one "A" program that exposes the API to attackers -- that is, allow compilation of regular expressions from a file, or from remote. Is there one within the Gnome default set of packages that does this? leio@gentoo.org 2008-07-01 17:03:43 0000 I am not aware of any, but I also don't know for sure there aren't. There are some GRegex users around by now, but most of those in turn are probably only using it with their own match strings in sources, but some might allow the user to enter it "locally" (in the X session or so). Or there might be no such things, as I said, not sure :( dertobi123@gentoo.org 2008-07-05 10:10:23 0000 ppc stable rbu@gentoo.org 2008-07-07 20:35:49 0000 GLSA 200807-03 158919 2008-06-30 08:04 0000 Ebuild that applies the patch that fixes it glib-2.16.3-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA4IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2Rldi1saWJzL2dsaWIvZ2xpYi0yLjE2LjMuZWJ1 aWxkLHYgMS44IDIwMDgvMDYvMjEgMjA6MDc6MzQgY29yc2FpciBFeHAgJAoKaW5oZXJpdCBnbm9t ZS5vcmcgbGlidG9vbCBldXRpbHMgZmxhZy1vLW1hdGljCgpERVNDUklQVElPTj0iVGhlIEdMaWIg bGlicmFyeSBvZiBDIHJvdXRpbmVzIgpIT01FUEFHRT0iaHR0cDovL3d3dy5ndGsub3JnLyIKCkxJ Q0VOU0U9IkxHUEwtMiIKU0xPVD0iMiIKS0VZV09SRFM9ImFscGhhIGFtZDY0IH5hcm0gfmhwcGEg aWE2NCB+bTY4ayB+bWlwcyBwcGMgcHBjNjQgfnMzOTAgfnNoIHNwYXJjIH5zcGFyYy1mYnNkIHg4 NiB+eDg2LWZic2QiCklVU0U9ImRlYnVnIGRvYyBmYW0gaGFyZGVuZWQgc2VsaW51eCB4YXR0ciIK ClJERVBFTkQ9InZpcnR1YWwvbGliYwoJCSB2aXJ0dWFsL2xpYmljb252CgkJIHhhdHRyPyAoIHN5 cy1hcHBzL2F0dHIgKQoJCSBmYW0/ICggdmlydHVhbC9mYW0gKSIKREVQRU5EPSIke1JERVBFTkR9 CgkJPj1kZXYtdXRpbC9wa2djb25maWctMC4xNgoJCT49c3lzLWRldmVsL2dldHRleHQtMC4xMQoJ CWRvYz8JKAoJCQkJCT49ZGV2LWxpYnMvbGlieHNsdC0xLjAKCQkJCQk+PWRldi11dGlsL2d0ay1k b2MtMS44CgkJCQkJfmFwcC10ZXh0L2RvY2Jvb2steG1sLWR0ZC00LjEuMgoJCQkJKSIKCnNyY191 bnBhY2soKSB7Cgl1bnBhY2sgJHtBfQoJY2QgIiR7U30iCgoJaWYgdXNlIHBwYzY0ICYmIHVzZSBo YXJkZW5lZCA7IHRoZW4KCQlyZXBsYWNlLWZsYWdzIC1PWzItM10gLU8xCgkJZXBhdGNoICIke0ZJ TEVTRElSfS9nbGliLTIuNi4zLXRlc3RnbGliLXNzcC5wYXRjaCIKCWZpCgoJaWYgdXNlIGlhNjQg OyB0aGVuCgkJIyBPbmx5IGFwcGx5IGZvciA8IDQuMQoJCWxvY2FsIG1ham9yPSQoZ2NjLW1ham9y LXZlcnNpb24pCgkJbG9jYWwgbWlub3I9JChnY2MtbWlub3ItdmVyc2lvbikKCQlpZiAoKCBtYWpv ciA8IDQgfHwgKCBtYWpvciA9PSA0ICYmIG1pbm9yID09IDAgKSApKTsgdGhlbgoJCQllcGF0Y2gg IiR7RklMRVNESVJ9L2dsaWItMi4xMC4zLWlhNjQtYXRvbWljLW9wcy5wYXRjaCIKCQlmaQoJZmkK CglzZWQgLWUgInMvTUFUQ0hfTElNSVRfUkVDVVJTSU9OPTEwMDAwMDAwL01BVENIX0xJTUlUX1JF Q1VSU0lPTj04MTkyL2ciIFwKCQktaSAiJHtTfS9nbGliL3BjcmUvTWFrZWZpbGUuaW4iICIke1N9 L2dsaWIvcGNyZS9NYWtlZmlsZS5hbSIKCgkjIEJ1ZyAyMzAwMzksIGhlYXAgYmFzZWQgYnVmZmVy IG92ZXJmbG93IGluIGluY2x1ZGVkIGNvcHkgb2YgcGNyZSAoQ1ZFLTIwMDgtMjM3MSkKCWVwYXRj aCAiJHtGSUxFU0RJUn0vJHtQfS1wY3JlLWJ1ZmZlci1vdmVyZmxvdy5wYXRjaCIKCgkjIEdOT01F IGJ1ZyAjNTM4ODM2LCBmaXggZ2lvIHRlc3QgZmFpbHVyZSBvbiB2YXJpb3VzIGFyY2hlcwoJc2Vk IC1pIC1lICdzOnxcXDxnX2F0b21pY19pbnRcXHw6fFxcPGdfYXRvbWljX2ludFxcfFxcPGdfYXRv bWljX3BvaW50ZXJfZ2V0XFx8OicgXAoJCSIke1N9L2dpby9wbHRjaGVjay5zaCIKCgkjIEZpeCBn bW9kdWxlIGlzc3VlcyBvbiBmYnNkOyBidWcgIzE4NDMwMQoJZXBhdGNoICIke0ZJTEVTRElSfSIv JHtQTn0tMi4xMi4xMi1mYnNkLnBhdGNoCgoJW1sgJHtDSE9TVH0gPT0gKi1mcmVlYnNkKiBdXSAm JiBlbGlidG9vbGl6ZQp9CgpzcmNfY29tcGlsZSgpIHsKCWxvY2FsIG15Y29uZgoKCWVwdW50X2N4 eAoKCSMgQnVpbGRpbmcgd2l0aCAtLWRpc2FibGUtZGVidWcgaGlnaGx5IHVucmVjb21tZW5kZWQu ICBJdCB3aWxsIGJ1aWxkIGdsaWIgaW4KCSMgYW4gdW51c2FibGUgZm9ybSBhcyBpdCBkaXNhYmxl cyBzb21lIGNvbW1vbmx5IHVzZWQgQVBJLiAgUGxlYXNlIGRvIG5vdAoJIyBjb252ZXJ0IHRoaXMg dG8gdGhlIHVzZV9lbmFibGUgZm9ybSwgYXMgaXQgcmVzdWx0cyBpbiBhIGJyb2tlbiBidWlsZC4K CSMgLS0gY29tcG5lcmQgKDMvMjcvMDYpCgl1c2UgZGVidWcgJiYgbXljb25mPSItLWVuYWJsZS1k ZWJ1ZyIKCgkjIGFsd2F5cyBidWlsZCBzdGF0aWMgbGlicywgc2VlICMxNTM4MDcKCWVjb25mICR7 bXljb25mfSAgICAgICAgICAgICAgICAgXAoJCSAgJCh1c2VfZW5hYmxlIHhhdHRyKSAgICAgICBc CgkJICAkKHVzZV9lbmFibGUgZG9jIG1hbikgICAgIFwKCQkgICQodXNlX2VuYWJsZSBkb2MgZ3Rr LWRvYykgXAoJCSAgJCh1c2VfZW5hYmxlIGZhbSkgICAgICAgICBcCgkJICAkKHVzZV9lbmFibGUg c2VsaW51eCkgICAgIFwKCQkgIC0tZW5hYmxlLXN0YXRpYyAgICAgICAgICAgXAoJCSAgLS13aXRo LXRocmVhZHM9cG9zaXggfHwgZGllICJjb25maWd1cmUgZmFpbGVkIgoKCWVtYWtlIHx8IGRpZSAi bWFrZSBmYWlsZWQiCn0KCnNyY19pbnN0YWxsKCkgewoJZW1ha2UgREVTVERJUj0iJHtEfSIgaW5z dGFsbCB8fCBkaWUgIkluc3RhbGxhdGlvbiBmYWlsZWQiCgoJIyBEbyBub3QgaW5zdGFsbCBjaGFy c2V0LmFsaWFzIGV2ZW4gaWYgZ2VuZXJhdGVkLCBsZWF2ZSBpdCB0byBsaWJpY29udgoJcm0gLWYg IiR7RH0vdXNyL2xpYi9jaGFyc2V0LmFsaWFzIgoKCWRvZG9jIEFVVEhPUlMgQ2hhbmdlTG9nKiBO RVdTKiBSRUFETUUKfQo= 158921 2008-06-30 08:05 0000 The applied patch that fixes the heap-based buffer overflow glib-2.16.3-pcre-buffer-overflow.patch text/plain LS0tIGdsaWIvcGNyZS9wY3JlX2NvbXBpbGUuYy5vcmlnCTIwMDgtMDYtMzAgMTA6NDI6NTQuMDAw MDAwMDAwICswMzAwCisrKyBnbGliL3BjcmUvcGNyZV9jb21waWxlLmMJMjAwOC0wNi0zMCAxMDo0 MzoxMC4wMDAwMDAwMDAgKzAzMDAKQEAgLTQ2OTksMTEgKzQ2OTksMTEgQEAgd2Ugc2V0IHRoZSBm bGFnIG9ubHkgaWYgdGhlcmUgaXMgYSBsaXRlcgogICAgICAgICAgIHsKICAgICAgICAgICBpZiAo Y29kZSA9PSBjZC0+c3RhcnRfY29kZSArIDEgKyBMSU5LX1NJWkUgJiYKICAgICAgICAgICAgICAg IChsZW5ndGhwdHIgPT0gTlVMTCB8fCAqbGVuZ3RocHRyID09IDIgKyAyKkxJTktfU0laRSkpCiAg ICAgICAgICAgICB7CiAgICAgICAgICAgICBjZC0+ZXh0ZXJuYWxfb3B0aW9ucyA9IG5ld29wdGlv bnM7Ci0gICAgICAgICAgICBvcHRpb25zID0gbmV3b3B0aW9uczsKKyAgICAgICAgICAgIG9wdGlv bnMgPSAqb3B0aW9uc3B0ciA9IG5ld29wdGlvbnM7CiAgICAgICAgICAgICB9CiAgICAgICAgICBl bHNlCiAgICAgICAgICAgICB7CiAgICAgICAgICAgICBpZiAoKG9wdGlvbnMgJiBQQ1JFX0lNUykg IT0gKG5ld29wdGlvbnMgJiBQQ1JFX0lNUykpCiAgICAgICAgICAgICAgIHsK