Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 104010

Summary: app-office/gnumeric might include a vulnerable pcre lib
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2005-08-28 01:07:34 UTC 
Gnumeric sources apparently include their own (affected) copy of the libpcre
library. See bug 103337 for details on the vulnerability. There may not be much
use of parsing of untrusted PCRE in gnumeric (?), but it should be fixed
nevertheless.

If possible, it might be a good idea to make gnumeric build against the system
libpcre rather than using the internal copy.

Ccing maintainers for advice.
Comment 1 John N. Laliberte (RETIRED) gentoo-dev 2005-08-31 08:20:02 UTC 
leonardop will be taking care of this shortly,

Thanks!
Comment 2 Leonardo Boshell (RETIRED) gentoo-dev 2005-09-01 04:08:13 UTC 
I've committed gnumeric-1.4.3-r2.ebuild, which includes a patch for this
problem. However, the ebuild is not marked stable yet.

Could you please confirm if the patch covers the whole vulnerability? For
reference, the patch is based on the differences between pcre-6.1 and pcre-6.2,
specifically in the file pcre_compile.c.

Also, modifying gnumeric to use an external pcre is untested so it doesn't seem
like a good alternative at the moment. I could push this patch upstream once I
have your blessing, and ask the developers about the possibility of optionally
linking against an external pcre.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-09-01 04:52:30 UTC 
Current KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2005-09-01 07:49:16 UTC 
sparc stable.
Comment 5 Ian Leitch (RETIRED) gentoo-dev 2005-09-01 09:20:19 UTC 
Stable on x86.
Comment 6 Luis Medinas (RETIRED) gentoo-dev 2005-09-01 10:29:39 UTC 
Marked Stable on AMD64.
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-01 10:51:52 UTC 
Stable on ppc and hppa.
Comment 8 Ian Leitch (RETIRED) gentoo-dev 2005-09-01 11:27:30 UTC 
Removing x86 CC, sorry for the spam.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2005-09-01 21:04:09 UTC 
stable on ppc64
Comment 10 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-09-02 00:20:48 UTC 
Stable on alpha
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-09-02 00:31:57 UTC 
Not sure this needs a GLSA, or maybe a combined one with other
'probably-not-affected' libpcre-challenged packages (like exim, apache...).
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-02 00:33:31 UTC 
Hmm. Our beloved Martin Pitt says :

"In gnumeric this bug could be exploited to execute arbitrary code with
the privileges of the user if the user was tricked into opening a
specially crafted spreadsheet document."

So I guess this really is a B2 and we need a GLSA for it.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-03 02:31:31 UTC 
GLSA 200509-02
ia64 should mark stable to benefit from GLSA.