Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 104009

Summary: dev-lang/python might include a vulnerable pcre lib
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2005-08-28 01:05:36 UTC
Python sources apparently include their own (affected) copy of the libpcre
library. See bug 103337 for details on the vulnerability.

If possible, it might be a good idea to make Python build against the system
libpcre rather than using the internal copy.

Ccing maintainers for advice.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-09-02 00:35:17 UTC
"In python, the impact depends on the particular application that uses
python's "re" (regular expression) module. In python server
applications that process unchecked arbitrary regular expressions with
the "re" module, this could potentially be exploited to remotely
execute arbitrary code with the privileges of the server."
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-07 07:22:51 UTC
Let's hope kloeri recovers fast, I would hate having to mask Python.
Comment 3 Bryan Ƙstergaard (RETIRED) gentoo-dev 2005-09-08 14:43:02 UTC
python-2.3.5-r2 added to the tree with pcre patch from ubuntu included. Python
2.4 isn't affected by this bug as it doesn't include it's own pcre version.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-08 21:59:15 UTC
Arches please test and mark stable. 
Comment 5 Chris Gianelloni (RETIRED) gentoo-dev 2005-09-09 06:02:33 UTC
Already stable on these arches, removing from CC
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2005-09-09 06:03:00 UTC
Sorry for the spam... forgot to click the "remove" button...
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-09-09 10:04:39 UTC
stable on ppc64
Comment 8 Josh Grebe (RETIRED) gentoo-dev 2005-09-09 12:36:17 UTC
Sparc looks good, removing cc.
Comment 9 MATSUU Takuto (RETIRED) gentoo-dev 2005-09-09 23:08:26 UTC
stable on sh
Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-10 01:05:54 UTC
Stable on ppc and hppa.
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2005-09-11 03:25:01 UTC
amd64 stable, sorry for the delay
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-12 13:36:33 UTC
GLSA 200509-08
mips should mark stable to benefit from GLSA
Comment 13 Aaron Walker (RETIRED) gentoo-dev 2005-09-14 16:16:57 UTC
mips stable.