104009 – dev-lang/python might include a vulnerable pcre lib

Bug 104009 - dev-lang/python might include a vulnerable pcre lib

Summary: dev-lang/python might include a vulnerable pcre lib

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-08-28 01:05 UTC by Thierry Carrez (RETIRED)
Modified:	2005-09-14 16:16 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-08-28 01:05:36 UTC

Python sources apparently include their own (affected) copy of the libpcre
library. See bug 103337 for details on the vulnerability.

If possible, it might be a good idea to make Python build against the system
libpcre rather than using the internal copy.

Ccing maintainers for advice.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-09-02 00:35:17 UTC

"In python, the impact depends on the particular application that uses
python's "re" (regular expression) module. In python server
applications that process unchecked arbitrary regular expressions with
the "re" module, this could potentially be exploited to remotely
execute arbitrary code with the privileges of the server."

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-09-07 07:22:51 UTC

Let's hope kloeri recovers fast, I would hate having to mask Python.

Comment 3 Bryan Østergaard (RETIRED) gentoo-dev

2005-09-08 14:43:02 UTC

python-2.3.5-r2 added to the tree with pcre patch from ubuntu included. Python
2.4 isn't affected by this bug as it doesn't include it's own pcre version.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-08 21:59:15 UTC

Arches please test and mark stable.

Comment 5 Chris Gianelloni (RETIRED) gentoo-dev

2005-09-09 06:02:33 UTC

Already stable on these arches, removing from CC

Comment 6 Chris Gianelloni (RETIRED) gentoo-dev

2005-09-09 06:03:00 UTC

Sorry for the spam... forgot to click the "remove" button...

Comment 7 Markus Rothe (RETIRED) gentoo-dev

2005-09-09 10:04:39 UTC

stable on ppc64

Comment 8 Josh Grebe (RETIRED) gentoo-dev

2005-09-09 12:36:17 UTC

Sparc looks good, removing cc.

Comment 9 MATSUU Takuto (RETIRED) gentoo-dev

2005-09-09 23:08:26 UTC

stable on sh

Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-09-10 01:05:54 UTC

Stable on ppc and hppa.

Comment 11 Simon Stelling (RETIRED) gentoo-dev

2005-09-11 03:25:01 UTC

amd64 stable, sorry for the delay

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2005-09-12 13:36:33 UTC

GLSA 200509-08
mips should mark stable to benefit from GLSA

Comment 13 Aaron Walker (RETIRED) gentoo-dev

2005-09-14 16:16:57 UTC

mips stable.