Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 230039 - dev-libs/glib <2.16.3-r1 PCRE Heap-based buffer overflow (CVE-2008-2371)
Summary: dev-libs/glib <2.16.3-r1 PCRE Heap-based buffer overflow (CVE-2008-2371)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on: CVE-2008-2371
Blocks:
  Show dependency tree
 
Reported: 2008-06-29 15:43 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-09 19:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Ebuild that applies the patch that fixes it (glib-2.16.3-r1.ebuild,2.63 KB, text/plain)
2008-06-30 08:04 UTC, Mart Raudsepp
no flags Details
The applied patch that fixes the heap-based buffer overflow (glib-2.16.3-pcre-buffer-overflow.patch,615 bytes, patch)
2008-06-30 08:05 UTC, Mart Raudsepp
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-06-29 15:43:20 UTC
+++ This bug was initially created as a clone of Bug #228091 +++

** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Heap-based buffer overflow in PCRE as shipped by GLib, see blocker for details.
Comment 1 Mart Raudsepp gentoo-dev 2008-06-30 08:04:12 UTC
Created attachment 158919 [details]
Ebuild that applies the patch that fixes it
Comment 2 Mart Raudsepp gentoo-dev 2008-06-30 08:05:14 UTC
Created attachment 158921 [details, diff]
The applied patch that fixes the heap-based buffer overflow
Comment 3 Mart Raudsepp gentoo-dev 2008-06-30 08:06:44 UTC
Arch Security Liaisons, please test the attached ebuild and report it         stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
alpha : yoswink
amd64 : welp
 hppa : jer
  ppc : dertobi123
ppc64 : corsair
sparc : fmccor
  x86 : opfer
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-30 10:02:03 UTC
x86 good to go.
Comment 5 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-06-30 13:44:34 UTC
In alpha:
 - compiles just fine with several USE flags combinations
 - tests passed

Seems ok.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-06-30 14:58:34 UTC
Looks okay on ia64/sparc
Comment 7 Jeroen Roovers gentoo-dev 2008-06-30 16:41:21 UTC
OK for HPPA.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-06-30 20:52:54 UTC
Lifting embargo, Gnome team please commit straight to stable for the arches that
tested.
Comment 9 Peter Weller (RETIRED) gentoo-dev 2008-07-01 00:45:59 UTC
Good to go on AMD64 too
Comment 10 Mart Raudsepp gentoo-dev 2008-07-01 02:14:27 UTC
The ebuild has been added to the tree.

=dev-libs/glib-2.16.3-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 sparc x86"
Missing keywords: "arm m68k ppc ppc64 s390 sh"

CCing the remaining arches. Please stabilize.


Security@ - this is much less widespread through glib than pcre proper, so I believe "A2" status should not be an "A" at least. While glib is quite widely used, PCRE code is exposed only via the GRegex API, which is not used by many glib using packages. "B" perhaps as it's not a system package.

I also don't know what the status whiteboard should be now
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-07-01 05:27:21 UTC
ppc64 stable
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-07-01 08:27:38 UTC
As for whiteboard, the question should be: Is there at least one "A" program that exposes the API to attackers -- that is, allow compilation of regular expressions from a file, or from remote. Is there one within the Gnome default set of packages that does this?
Comment 13 Mart Raudsepp gentoo-dev 2008-07-01 17:03:43 UTC
I am not aware of any, but I also don't know for sure there aren't.
There are some GRegex users around by now, but most of those in turn are probably only using it with their own match strings in sources, but some might allow the user to enter it "locally" (in the X session or so). Or there might be no such things, as I said, not sure :(
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-05 10:10:23 UTC
ppc stable
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-07-07 20:35:49 UTC
GLSA 200807-03