Summary: | www-client/kazehakase < 0.5.0 Multiple issues in embedded PCRE | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | matsuu, mozilla, nakano |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/27543/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 198845 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2007-11-12 22:55:55 UTC
pcre is used for incremental search by GRegex. its only enabled with migemo USE flag. kazehakase-0.5.0 is enough to stable, but it depends on >=x11-libs/gtk+-2.12. Arches, please test and mark stable www-client/kazehakase-0.5.0. Target keywords : "amd64 ppc sparc x86" Please note the comment above, this needs to be done after you're off of bug 198845. x86 stable stable on amd64 sparc stable ppc stable I'll set this [glsa?] because I'm still not sure if it is exploitable by remote attackers - Can someone send trick me into opening a file / link that might lead to execution of code? (In reply to comment #7) > I'll set this [glsa?] because I'm still not sure if it is exploitable by remote > attackers - Can someone send trick me into opening a file / link that might > lead to execution of code? Matsuu? sorry I checked source code once again, and it seems that PCRE is used for migemo, history, and bookmark. I'm presently checking with upstream about it. http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html (In reply to comment #9) > sorry > I checked source code once again, and it seems that PCRE is used for migemo, > history, and bookmark. > I'm presently checking with upstream about it. > http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002774.html > Any news here? I don't speak japanese :) ah, sorry. in smart bookmark feature, GRegEX is used to body contents. so, perhaps it is exploitable by remote attackers. http://lists.sourceforge.jp/mailman/archives/kazehakase-devel/2007-December/002775.html I tend to vote YES. YES. filed. GLSA 200801-18, sorry for the delay. |