Kazehakase ships a copy of PCRE which is vulnerable to several security issues as pointed out in bug #198198. Version 0.5.0 uses GRegEx as a regular expression engine, so it is unaffected. Maintainers, please advise on the following questions: * What is PCRE in Kazehakase used for? Especially: Can inputs come from outside (i.e. bookmark imports)? * Is 0.5.0 ok for stabling?
pcre is used for incremental search by GRegex. its only enabled with migemo USE flag. kazehakase-0.5.0 is enough to stable, but it depends on >=x11-libs/gtk+-2.12.
Arches, please test and mark stable www-client/kazehakase-0.5.0. Target keywords : "amd64 ppc sparc x86" Please note the comment above, this needs to be done after you're off of bug 198845.
x86 stable
stable on amd64
sparc stable
ppc stable
I'll set this [glsa?] because I'm still not sure if it is exploitable by remote attackers - Can someone send trick me into opening a file / link that might lead to execution of code?
(In reply to comment #7) > I'll set this [glsa?] because I'm still not sure if it is exploitable by remote > attackers - Can someone send trick me into opening a file / link that might > lead to execution of code? Matsuu?
sorry I checked source code once again, and it seems that PCRE is used for migemo, history, and bookmark. I'm presently checking with upstream about it. http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html
(In reply to comment #9) > sorry > I checked source code once again, and it seems that PCRE is used for migemo, > history, and bookmark. > I'm presently checking with upstream about it. > http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html > Any news here? I don't speak japanese :)
ah, sorry. in smart bookmark feature, GRegEX is used to body contents. so, perhaps it is exploitable by remote attackers. http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002775.html
FYI: http://www.google.com/translate?u=http%3A%2F%2Flists.sourceforge.jp%2Fmailman%2Farchives%2Fkazehakase-devel%2F2007-December%2F002775.html&langpair=ja%7Cen
I tend to vote YES.
YES. filed.
GLSA 200801-18, sorry for the delay.