Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 209293

Summary: dev-libs/glib-2.14.6 fixes potential buffer overflow in included pcre copy
Product: Gentoo Security Reporter: Mart Raudsepp <leio>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: High Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 209067    
Bug Blocks:    

Description Mart Raudsepp gentoo-dev 2008-02-07 20:50:58 UTC 
Per bug 209067 libpcre-7.6 fixes a buffer overflow issue:

1.  A character class containing a very large number of characters with
    codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer
    overflow.

dev-libs/glib includes a copy of libpcre since 2.14.0 that we also use (instead of the system pcre) for GRegex API due to the copy including patches useful for GRegex, but not yet in pcre. Therefore glib is affected by this as well, for glib users that use the GRegex API. The internal copy of pcre has been updated to 7.6 in glib-2.14.6 and it is also now in the portage tree.

Security team: glib from 2.14.0 through 2.14.5 is vulnerable to this bug, while 2.14.6 is fixed with the update of the copy and earlier (2.12.* and earlier) did not have GRegex and included pcre.

Arch teams: please stabilize glib-2.14.6 - it's only changes compared to glib-2.14.5 are the updated pcre and a couple translation updates.
Comment 1 Markus Meier gentoo-dev 2008-02-07 21:10:55 UTC 
x86 stable
Comment 2 Brent Baude (RETIRED) gentoo-dev 2008-02-08 00:04:52 UTC 
ppc64 stable
Comment 3 Brent Baude (RETIRED) gentoo-dev 2008-02-08 00:12:24 UTC 
ppc64 stable
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-08 08:31:24 UTC 
ppc stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-08 14:00:41 UTC 
Stable for HPPA.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-02-08 15:54:08 UTC 
alpha/ia64/sparc stable
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2008-02-10 22:12:43 UTC 
amd64 done
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-11 20:28:51 UTC 
AFAIK impact is still unknown for PCRE.
Comment 9 Peter Volkov (RETIRED) gentoo-dev 2008-02-23 17:28:41 UTC 
Fixed in release snapshot.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 14:21:39 UTC 
glsa together with bug 209067.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-19 23:04:37 UTC 
GLSA 200803-24