Bug 198983

Summary:	www-client/kazehakase < 0.5.0 Multiple issues in embedded PCRE
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	matsuu, mozilla, nakano
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/27543/
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	198845
Bug Blocks:

Description Robert Buchholz (RETIRED) gentoo-dev

2007-11-12 22:55:55 UTC

Kazehakase ships a copy of PCRE which is vulnerable to several security issues as pointed out in bug #198198.

Version 0.5.0 uses GRegEx as a regular expression engine, so it is unaffected.

Maintainers, please advise on the following questions:
* What is PCRE in Kazehakase used for? Especially: Can inputs come from outside (i.e. bookmark imports)?
* Is 0.5.0 ok for stabling?

Comment 1 MATSUU Takuto (RETIRED) gentoo-dev

2007-11-13 05:10:41 UTC

pcre is used for incremental search by GRegex. its only enabled with migemo USE flag.
kazehakase-0.5.0 is enough to stable, but it depends on >=x11-libs/gtk+-2.12.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2007-11-14 00:01:08 UTC

Arches, please test and mark stable www-client/kazehakase-0.5.0.
Target keywords : "amd64 ppc sparc x86"

Please note the comment above, this needs to be done after you're off of bug 198845.

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2007-11-14 07:56:35 UTC

x86 stable

Comment 4 Alex Howells (RETIRED) gentoo-dev

2007-11-14 15:31:39 UTC

stable on amd64

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2007-11-15 15:12:48 UTC

sparc stable

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2007-11-18 11:12:24 UTC

ppc stable

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2007-11-18 14:21:49 UTC

I'll set this [glsa?] because I'm still not sure if it is exploitable by remote attackers - Can someone send trick me into opening a file / link that might lead to execution of code?

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2007-12-02 12:33:42 UTC

(In reply to comment #7)
> I'll set this [glsa?] because I'm still not sure if it is exploitable by remote
> attackers - Can someone send trick me into opening a file / link that might
> lead to execution of code?

Matsuu?

Comment 9 MATSUU Takuto (RETIRED) gentoo-dev

2007-12-04 10:33:40 UTC

sorry
I checked source code once again, and it seems that PCRE is used for migemo, history, and bookmark.
I'm presently checking with upstream about it.
http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html

Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-30 18:39:26 UTC

(In reply to comment #9)
> sorry
> I checked source code once again, and it seems that PCRE is used for migemo,
> history, and bookmark.
> I'm presently checking with upstream about it.
> http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html
> 

Any news here? I don't speak japanese :)

Comment 11 MATSUU Takuto (RETIRED) gentoo-dev

2007-12-31 11:04:09 UTC

ah, sorry.
in smart bookmark feature, GRegEX is used to body contents. so, perhaps it is exploitable by remote attackers.
http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002775.html

Comment 12 MATSUU Takuto (RETIRED) gentoo-dev

2007-12-31 11:08:17 UTC

FYI:
http://www.google.com/translate?u=http%3A%2F%2Flists.sourceforge.jp%2Fmailman%2Farchives%2Fkazehakase-devel%2F2007-December%2F002775.html&langpair=ja%7Cen

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-06 18:14:45 UTC

I tend to vote YES.

Comment 14 Robert Buchholz (RETIRED) gentoo-dev

2008-01-06 23:02:35 UTC

YES. filed.

Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-01-30 22:40:20 UTC

GLSA 200801-18, sorry for the delay.