Summary: | dev-libs/glib <2.16.3-r1 PCRE Heap-based buffer overflow (CVE-2008-2371) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | gnome | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | A2 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | 228091 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2008-06-29 15:43:20 UTC
Created attachment 158919 [details]
Ebuild that applies the patch that fixes it
Created attachment 158921 [details, diff]
The applied patch that fixes the heap-based buffer overflow
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : opfer x86 good to go. In alpha: - compiles just fine with several USE flags combinations - tests passed Seems ok. Looks okay on ia64/sparc OK for HPPA. Lifting embargo, Gnome team please commit straight to stable for the arches that tested. Good to go on AMD64 too The ebuild has been added to the tree. =dev-libs/glib-2.16.3-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 sparc x86" Missing keywords: "arm m68k ppc ppc64 s390 sh" CCing the remaining arches. Please stabilize. Security@ - this is much less widespread through glib than pcre proper, so I believe "A2" status should not be an "A" at least. While glib is quite widely used, PCRE code is exposed only via the GRegex API, which is not used by many glib using packages. "B" perhaps as it's not a system package. I also don't know what the status whiteboard should be now ppc64 stable As for whiteboard, the question should be: Is there at least one "A" program that exposes the API to attackers -- that is, allow compilation of regular expressions from a file, or from remote. Is there one within the Gnome default set of packages that does this? I am not aware of any, but I also don't know for sure there aren't. There are some GRegex users around by now, but most of those in turn are probably only using it with their own match strings in sources, but some might allow the user to enter it "locally" (in the X session or so). Or there might be no such things, as I said, not sure :( ppc stable GLSA 200807-03 |