First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 104009
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 104009 depends on: Show dependency tree
Bug 104009 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-08-28 01:05 0000 
Python sources apparently include their own (affected) copy of the libpcre
library. See bug 103337 for details on the vulnerability.

If possible, it might be a good idea to make Python build against the system
libpcre rather than using the internal copy.

Ccing maintainers for advice.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-09-02 00:35:17 0000 ------- 
"In python, the impact depends on the particular application that uses
python's "re" (regular expression) module. In python server
applications that process unchecked arbitrary regular expressions with
the "re" module, this could potentially be exploited to remotely
execute arbitrary code with the privileges of the server."

------- Comment #2 From Thierry Carrez (RETIRED) 2005-09-07 07:22:51 0000 ------- 
Let's hope kloeri recovers fast, I would hate having to mask Python.

------- Comment #3 From Bryan Østergaard (RETIRED) 2005-09-08 14:43:02 0000 ------- 
python-2.3.5-r2 added to the tree with pcre patch from ubuntu included. Python
2.4 isn't affected by this bug as it doesn't include it's own pcre version.

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-09-08 21:59:15 0000 ------- 
Arches please test and mark stable.

------- Comment #5 From Chris Gianelloni (RETIRED) 2005-09-09 06:02:33 0000 ------- 
Already stable on these arches, removing from CC

------- Comment #6 From Chris Gianelloni (RETIRED) 2005-09-09 06:03:00 0000 ------- 
Sorry for the spam... forgot to click the "remove" button...

------- Comment #7 From Markus Rothe 2005-09-09 10:04:39 0000 ------- 
stable on ppc64

------- Comment #8 From Josh Grebe (RETIRED) 2005-09-09 12:36:17 0000 ------- 
Sparc looks good, removing cc.

------- Comment #9 From MATSUU Takuto 2005-09-09 23:08:26 0000 ------- 
stable on sh

------- Comment #10 From Michael Hanselmann (hansmi) (RETIRED) 2005-09-10 01:05:54 0000 ------- 
Stable on ppc and hppa.

------- Comment #11 From Simon Stelling (RETIRED) 2005-09-11 03:25:01 0000 ------- 
amd64 stable, sorry for the delay

------- Comment #12 From Thierry Carrez (RETIRED) 2005-09-12 13:36:33 0000 ------- 
GLSA 200509-08
mips should mark stable to benefit from GLSA

------- Comment #13 From Aaron Walker (RETIRED) 2005-09-14 16:16:57 0000 ------- 
mips stable.
First Last Prev Next    No search results available      Search page      Enter new bug