Bug 198983 - www-client/kazehakase < 0.5.0 Multiple issues in embedded PCRE
Bug#: 198983 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/27543/
Summary: www-client/kazehakase < 0.5.0 Multiple issues in embedded PCRE
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2007-11-12 22:55 0000
Description:   Opened: 2007-11-12 22:55 0000 
Kazehakase ships a copy of PCRE which is vulnerable to several security issues
as pointed out in bug #198198.

Version 0.5.0 uses GRegEx as a regular expression engine, so it is unaffected.

Maintainers, please advise on the following questions:
* What is PCRE in Kazehakase used for? Especially: Can inputs come from outside
(i.e. bookmark imports)?
* Is 0.5.0 ok for stabling?

------- Comment #1 From MATSUU Takuto 2007-11-13 05:10:41 0000 ------- 
pcre is used for incremental search by GRegex. its only enabled with migemo USE
flag.
kazehakase-0.5.0 is enough to stable, but it depends on >=x11-libs/gtk+-2.12.

------- Comment #2 From Robert Buchholz 2007-11-14 00:01:08 0000 ------- 
Arches, please test and mark stable www-client/kazehakase-0.5.0.
Target keywords : "amd64 ppc sparc x86"

Please note the comment above, this needs to be done after you're off of bug
198845.

------- Comment #3 From Christian Faulhammer 2007-11-14 07:56:35 0000 ------- 
x86 stable

------- Comment #4 From Alex Howells 2007-11-14 15:31:39 0000 ------- 
stable on amd64

------- Comment #5 From Raúl Porcel 2007-11-15 15:12:48 0000 ------- 
sparc stable

------- Comment #6 From Tobias Scherbaum 2007-11-18 11:12:24 0000 ------- 
ppc stable

------- Comment #7 From Robert Buchholz 2007-11-18 14:21:49 0000 ------- 
I'll set this [glsa?] because I'm still not sure if it is exploitable by remote
attackers - Can someone send trick me into opening a file / link that might
lead to execution of code?

------- Comment #8 From Robert Buchholz 2007-12-02 12:33:42 0000 ------- 
(In reply to comment #7)
> I'll set this [glsa?] because I'm still not sure if it is exploitable by remote
> attackers - Can someone send trick me into opening a file / link that might
> lead to execution of code?

Matsuu?

------- Comment #9 From MATSUU Takuto 2007-12-04 10:33:40 0000 ------- 
sorry
I checked source code once again, and it seems that PCRE is used for migemo,
history, and bookmark.
I'm presently checking with upstream about it.
http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html

------- Comment #10 From Pierre-Yves Rofes 2007-12-30 18:39:26 0000 ------- 
(In reply to comment #9)
> sorry
> I checked source code once again, and it seems that PCRE is used for migemo,
> history, and bookmark.
> I'm presently checking with upstream about it.
> http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html
> 

Any news here? I don't speak japanese :)

------- Comment #11 From MATSUU Takuto 2007-12-31 11:04:09 0000 ------- 
ah, sorry.
in smart bookmark feature, GRegEX is used to body contents. so, perhaps it is
exploitable by remote attackers.
http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002775.html

------- Comment #12 From MATSUU Takuto 2007-12-31 11:08:17 0000 ------- 
FYI:
http://www.google.com/translate?u=http%3A%2F%2Flists.sourceforge.jp%2Fmailman%2Farchives%2Fkazehakase-devel%2F2007-December%2F002775.html&langpair=ja%7Cen

------- Comment #13 From Sune Kloppenborg Jeppesen 2008-01-06 18:14:45 0000 ------- 
I tend to vote YES.

------- Comment #14 From Robert Buchholz 2008-01-06 23:02:35 0000 ------- 
YES. filed.

------- Comment #15 From Pierre-Yves Rofes 2008-01-30 22:40:20 0000 ------- 
GLSA 200801-18, sorry for the delay.