Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198983 - www-client/kazehakase < 0.5.0 Multiple issues in embedded PCRE
Summary: www-client/kazehakase < 0.5.0 Multiple issues in embedded PCRE
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27543/
Whiteboard: B2 [glsa]
Keywords:
Depends on: 198845
Blocks:
  Show dependency tree
 
Reported: 2007-11-12 22:55 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-30 22:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-12 22:55:55 UTC 
Kazehakase ships a copy of PCRE which is vulnerable to several security issues as pointed out in bug #198198.

Version 0.5.0 uses GRegEx as a regular expression engine, so it is unaffected.

Maintainers, please advise on the following questions:
* What is PCRE in Kazehakase used for? Especially: Can inputs come from outside (i.e. bookmark imports)?
* Is 0.5.0 ok for stabling?
Comment 1 MATSUU Takuto (RETIRED) gentoo-dev 2007-11-13 05:10:41 UTC 
pcre is used for incremental search by GRegex. its only enabled with migemo USE flag.
kazehakase-0.5.0 is enough to stable, but it depends on >=x11-libs/gtk+-2.12.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-14 00:01:08 UTC 
Arches, please test and mark stable www-client/kazehakase-0.5.0.
Target keywords : "amd64 ppc sparc x86"

Please note the comment above, this needs to be done after you're off of bug 198845.
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-14 07:56:35 UTC 
x86 stable
Comment 4 Alex Howells (RETIRED) gentoo-dev 2007-11-14 15:31:39 UTC 
stable on amd64
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2007-11-15 15:12:48 UTC 
sparc stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-18 11:12:24 UTC 
ppc stable
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 14:21:49 UTC 
I'll set this [glsa?] because I'm still not sure if it is exploitable by remote attackers - Can someone send trick me into opening a file / link that might lead to execution of code?
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-12-02 12:33:42 UTC 
(In reply to comment #7)
> I'll set this [glsa?] because I'm still not sure if it is exploitable by remote
> attackers - Can someone send trick me into opening a file / link that might
> lead to execution of code?

Matsuu?
Comment 9 MATSUU Takuto (RETIRED) gentoo-dev 2007-12-04 10:33:40 UTC 
sorry
I checked source code once again, and it seems that PCRE is used for migemo, history, and bookmark.
I'm presently checking with upstream about it.
http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-30 18:39:26 UTC 
(In reply to comment #9)
> sorry
> I checked source code once again, and it seems that PCRE is used for migemo,
> history, and bookmark.
> I'm presently checking with upstream about it.
> http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html
> 

Any news here? I don't speak japanese :)
Comment 11 MATSUU Takuto (RETIRED) gentoo-dev 2007-12-31 11:04:09 UTC 
ah, sorry.
in smart bookmark feature, GRegEX is used to body contents. so, perhaps it is exploitable by remote attackers.
http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002775.html
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-06 18:14:45 UTC 
I tend to vote YES.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-01-06 23:02:35 UTC 
YES. filed.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-30 22:40:20 UTC 
GLSA 200801-18, sorry for the delay.