First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 230039
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
glib-2.16.3-r1.ebuild Ebuild that applies the patch that fixes it text/plain Mart Raudsepp 2008-06-30 08:04 0000 2.63 KB Details
glib-2.16.3-pcre-buffer-overflow.patch The applied patch that fixes the heap-based buffer overflow patch Mart Raudsepp 2008-06-30 08:05 0000 615 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 230039 depends on: 228091 Show dependency tree
Bug 230039 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-06-29 15:43 0000 
+++ This bug was initially created as a clone of Bug #228091 +++

** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Heap-based buffer overflow in PCRE as shipped by GLib, see blocker for details.

------- Comment #1 From Mart Raudsepp 2008-06-30 08:04:12 0000 ------- 
Created an attachment (id=158919) [details]
Ebuild that applies the patch that fixes it

------- Comment #2 From Mart Raudsepp 2008-06-30 08:05:14 0000 ------- 
Created an attachment (id=158921) [details]
The applied patch that fixes the heap-based buffer overflow

------- Comment #3 From Mart Raudsepp 2008-06-30 08:06:44 0000 ------- 
Arch Security Liaisons, please test the attached ebuild and report it        
stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
alpha : yoswink
amd64 : welp
 hppa : jer
  ppc : dertobi123
ppc64 : corsair
sparc : fmccor
  x86 : opfer

------- Comment #4 From Christian Faulhammer 2008-06-30 10:02:03 0000 ------- 
x86 good to go.

------- Comment #5 From Jose Luis Rivero (yoswink) 2008-06-30 13:44:34 0000 ------- 
In alpha:
 - compiles just fine with several USE flags combinations
 - tests passed

Seems ok.

------- Comment #6 From Raúl Porcel 2008-06-30 14:58:34 0000 ------- 
Looks okay on ia64/sparc

------- Comment #7 From Jeroen Roovers 2008-06-30 16:41:21 0000 ------- 
OK for HPPA.

------- Comment #8 From Robert Buchholz 2008-06-30 20:52:54 0000 ------- 
Lifting embargo, Gnome team please commit straight to stable for the arches
that
tested.

------- Comment #9 From Peter Weller 2008-07-01 00:45:59 0000 ------- 
Good to go on AMD64 too

------- Comment #10 From Mart Raudsepp 2008-07-01 02:14:27 0000 ------- 
The ebuild has been added to the tree.

=dev-libs/glib-2.16.3-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 sparc x86"
Missing keywords: "arm m68k ppc ppc64 s390 sh"

CCing the remaining arches. Please stabilize.


Security@ - this is much less widespread through glib than pcre proper, so I
believe "A2" status should not be an "A" at least. While glib is quite widely
used, PCRE code is exposed only via the GRegex API, which is not used by many
glib using packages. "B" perhaps as it's not a system package.

I also don't know what the status whiteboard should be now

------- Comment #11 From Markus Rothe 2008-07-01 05:27:21 0000 ------- 
ppc64 stable

------- Comment #12 From Robert Buchholz 2008-07-01 08:27:38 0000 ------- 
As for whiteboard, the question should be: Is there at least one "A" program
that exposes the API to attackers -- that is, allow compilation of regular
expressions from a file, or from remote. Is there one within the Gnome default
set of packages that does this?

------- Comment #13 From Mart Raudsepp 2008-07-01 17:03:43 0000 ------- 
I am not aware of any, but I also don't know for sure there aren't.
There are some GRegex users around by now, but most of those in turn are
probably only using it with their own match strings in sources, but some might
allow the user to enter it "locally" (in the X session or so). Or there might
be no such things, as I said, not sure :(

------- Comment #14 From Tobias Scherbaum 2008-07-05 10:10:23 0000 ------- 
ppc stable

------- Comment #15 From Robert Buchholz 2008-07-07 20:35:49 0000 ------- 
GLSA 200807-03
First Last Prev Next    No search results available      Search page      Enter new bug