Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104009 - dev-lang/python might include a vulnerable pcre lib
Summary: dev-lang/python might include a vulnerable pcre lib
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-28 01:05 UTC by Thierry Carrez (RETIRED)
Modified: 2005-09-14 16:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-08-28 01:05:36 UTC
Python sources apparently include their own (affected) copy of the libpcre
library. See bug 103337 for details on the vulnerability.

If possible, it might be a good idea to make Python build against the system
libpcre rather than using the internal copy.

Ccing maintainers for advice.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-09-02 00:35:17 UTC
"In python, the impact depends on the particular application that uses
python's "re" (regular expression) module. In python server
applications that process unchecked arbitrary regular expressions with
the "re" module, this could potentially be exploited to remotely
execute arbitrary code with the privileges of the server."
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-07 07:22:51 UTC
Let's hope kloeri recovers fast, I would hate having to mask Python.
Comment 3 Bryan Østergaard (RETIRED) gentoo-dev 2005-09-08 14:43:02 UTC
python-2.3.5-r2 added to the tree with pcre patch from ubuntu included. Python
2.4 isn't affected by this bug as it doesn't include it's own pcre version.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-08 21:59:15 UTC
Arches please test and mark stable. 
Comment 5 Chris Gianelloni (RETIRED) gentoo-dev 2005-09-09 06:02:33 UTC
Already stable on these arches, removing from CC
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2005-09-09 06:03:00 UTC
Sorry for the spam... forgot to click the "remove" button...
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-09-09 10:04:39 UTC
stable on ppc64
Comment 8 Josh Grebe (RETIRED) gentoo-dev 2005-09-09 12:36:17 UTC
Sparc looks good, removing cc.
Comment 9 MATSUU Takuto (RETIRED) gentoo-dev 2005-09-09 23:08:26 UTC
stable on sh
Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-10 01:05:54 UTC
Stable on ppc and hppa.
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2005-09-11 03:25:01 UTC
amd64 stable, sorry for the delay
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-12 13:36:33 UTC
GLSA 200509-08
mips should mark stable to benefit from GLSA
Comment 13 Aaron Walker (RETIRED) gentoo-dev 2005-09-14 16:16:57 UTC
mips stable.