Debian Bug report logs - #464756
kazehakase security advisory

version graph

Package: kazehakase; Maintainer for kazehakase is Yavor Doganov <yavor@gnu.org>;

Reported by: Andres Salomon <dilinger@queued.net>

Date: Fri, 8 Feb 2008 20:09:05 UTC

Severity: grave

Tags: etch, security

Found in version kazehakase/0.4.3-1.1

Fixed in versions 0.4.2-1etch1, kazehakase/0.5.2-1

Done: Andres Salomon <dilinger@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
New Bug report received and forwarded. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@queued.net>
To: submit@bugs.debian.org
Subject: kazehakase security advisory
Date: Fri, 8 Feb 2008 15:09:21 -0500
Package: kazehakase
Version: 0.4.3-1.1
Severity: grave

Hi,

Kazehakase 0.4.x ships with a version of PCRE built in that has some
known security holes.  See
http://www.gentoo.org/security/en/glsa/glsa-200801-18.xml for details.  At
the bottom of that page is the relevant link to the PCRE advisory.  The
version of PCRE that kazehakase appears to ship is 4.3.




Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #10 received at 464756@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@queued.net>
To: control@bugs.debian.org
Cc: 464756@bugs.debian.org
Subject: Re: kazehakase security advisory
Date: Tue, 26 Feb 2008 12:26:51 -0500
tags 464756 + security etch
thanks

This is now fixed in unstable (and soon testing, once it builds for all
architectures).




Tags added: security, etch Request was from Andres Salomon <dilinger@queued.net> to control@bugs.debian.org. (Tue, 26 Feb 2008 17:24:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #17 received at 464756@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@queued.net>
To: 464756@bugs.debian.org, team@security.debian.org
Subject: kazehakase security fix patch
Date: Tue, 15 Apr 2008 15:46:02 -0400
Hi,

Here's a patch that forces the kazehakase in Etch to build against the system's
libpcre rather than the bundled pcre.  I'd rather see kaz linked against
the system's pcre; it's much easier to deal w/.  Does the security team
agree?




diff --git a/debian/control b/debian/control
index 6c9c76c..f37ad30 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: kazehakase
 Section: web
 Priority: optional
 Maintainer: Hidetaka Iwai <tyuyu@debian.or.jp>
-Build-Depends: automake1.7, libtool, debhelper(>> 4.0.0), dpatch, libatk1.0-dev, libglib2.0-dev, libgtk2.0-dev, libpango1.0-dev, libxul-dev, libgnutls-dev (>= 1.2.6), ruby (>=1.8.0), ruby(<< 1.9.0), ruby1.8-dev, libgtk2-ruby, libgettext-ruby1.8
+Build-Depends: automake1.7, libtool, debhelper(>> 4.0.0), dpatch, libatk1.0-dev, libglib2.0-dev, libgtk2.0-dev, libpango1.0-dev, libxul-dev, libgnutls-dev (>= 1.2.6), ruby (>=1.8.0), ruby(<< 1.9.0), ruby1.8-dev, libgtk2-ruby, libgettext-ruby1.8, libpcre3-dev
 Standards-Version: 3.7.2
 
 Package: kazehakase
diff --git a/src/libegg/regex/Makefile.am b/src/libegg/regex/Makefile.am
index 8751809..ce1a133 100644
--- a/src/libegg/regex/Makefile.am
+++ b/src/libegg/regex/Makefile.am
@@ -1,5 +1,3 @@
-SUBDIRS = pcre
-
 INCLUDES = \
   $(GTK_CFLAGS) \
   -DEGG_COMPILATION \
@@ -15,8 +13,8 @@ noinst_LTLIBRARIES = libeggregex.la
 libeggregex_la_SOURCES = \
   eggregex.c
 
-libeggregex_la_LIBADD = \
-	$(top_builddir)/src/libegg/regex/pcre/libpcre.la 
+libeggregex_la_LDFLAGS = \
+  `pcre-config --libs`
 
 noinst_HEADERS = \
   eggregex.h
diff --git a/src/libegg/regex/eggregex.c b/src/libegg/regex/eggregex.c
index 7d373cb..e365490 100644
--- a/src/libegg/regex/eggregex.c
+++ b/src/libegg/regex/eggregex.c
@@ -45,7 +45,7 @@
 #include <glib/glist.h>
 #include <glib/gi18n-lib.h>
 #include <glib/gstrfuncs.h>
-#include "pcre/pcre.h"
+#include <pcre.h>
 
 struct _EggRegex
 {
@@ -108,7 +108,7 @@ egg_regex_new (const gchar         *pattern,
   regex->match_opts = match_options | PCRE_NO_UTF8_CHECK;
 
   /* compile the pattern */
-  regex->regex = _pcre_compile (pattern, regex->compile_opts,
+  regex->regex = pcre_compile (pattern, regex->compile_opts,
 				 &errmsg, &erroffset, NULL);
 
   /* if the compilation failed, set the error member and return 
@@ -127,7 +127,7 @@ egg_regex_new (const gchar         *pattern,
 
   /* otherwise, find out how many sub patterns exist in this pattern,
    * and setup the offsets array and n_offsets accordingly */
-  _pcre_fullinfo (regex->regex, regex->extra, 
+  pcre_fullinfo (regex->regex, regex->extra, 
 		  PCRE_INFO_CAPTURECOUNT, &capture_count);
   regex->n_offsets = (capture_count + 1) * 3;
   regex->offsets = g_new0 (gint, regex->n_offsets);
@@ -192,7 +192,7 @@ egg_regex_optimize (EggRegex  *regex,
 {
   const gchar *errmsg;
 
-  regex->extra = _pcre_study (regex->regex, 0, &errmsg);
+  regex->extra = pcre_study (regex->regex, 0, &errmsg);
 
   if (errmsg)
     {
@@ -237,7 +237,7 @@ egg_regex_match (EggRegex          *regex,
   regex->string_len = string_len;
 
   /* perform the match */
-  regex->matches = _pcre_exec (regex->regex, regex->extra, 
+  regex->matches = pcre_exec (regex->regex, regex->extra, 
 			       string, regex->string_len, 0,
 			       regex->match_opts | match_options,
 			       regex->offsets, regex->n_offsets);
@@ -295,7 +295,7 @@ egg_regex_match_next (EggRegex          *regex,
     }
 
   /* perform the match */
-  regex->matches = _pcre_exec (regex->regex, regex->extra,
+  regex->matches = pcre_exec (regex->regex, regex->extra,
 			       string + regex->pos, 
 			       regex->string_len - regex->pos,
 			       0, regex->match_opts | match_options,
@@ -345,7 +345,7 @@ egg_regex_fetch (EggRegex      *regex,
   if (match_num >= regex->matches)
     return NULL;
 
-  _pcre_get_substring (string, regex->offsets, regex->matches, 
+  pcre_get_substring (string, regex->offsets, regex->matches, 
 		       match_num, (const char **)&match);
 
   return match;
@@ -399,7 +399,7 @@ egg_regex_fetch_named (EggRegex      *regex,
 {
   gchar *match;
 
-  _pcre_get_named_substring (regex->regex, 
+  pcre_get_named_substring (regex->regex, 
 			     string, regex->offsets, regex->matches, 
 			     name, (const char **)&match);
 
@@ -427,7 +427,7 @@ egg_regex_fetch_all (EggRegex      *regex,
   if (regex->matches < 0)
     return NULL;
   
-  _pcre_get_substring_list (string, regex->offsets, 
+  pcre_get_substring_list (string, regex->offsets, 
 			    regex->matches, (const char ***)&listptr);
 
   if (listptr)


-- 
Need a kernel or Debian developer?  Contact me, I'm looking for contracts.




Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #22 received at 464756@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Andres Salomon <dilinger@queued.net>
Cc: 464756@bugs.debian.org, team@security.debian.org
Subject: Re: kazehakase security fix patch
Date: Tue, 15 Apr 2008 20:52:08 +0100
On Tue Apr 15, 2008 at 15:46:02 -0400, Andres Salomon wrote:

> I'd rather see kaz linked against the system's pcre;
> it's much easier to deal w/.  Does the security team agree?

  Definitely!

Steve
-- 





Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #27 received at 464756@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@queued.net>
To: Steve Kemp <skx@debian.org>
Cc: 464756@bugs.debian.org, team@security.debian.org
Subject: Re: kazehakase security fix patch
Date: Tue, 15 Apr 2008 18:31:05 -0400
On Tue, 15 Apr 2008 20:52:08 +0100
Steve Kemp <skx@debian.org> wrote:

> On Tue Apr 15, 2008 at 15:46:02 -0400, Andres Salomon wrote:
> 
> > I'd rather see kaz linked against the system's pcre;
> > it's much easier to deal w/.  Does the security team agree?
> 
>   Definitely!
> 
> Steve


Cool.  The package is here:

http://people.debian.org/~dilinger/security/kazehakase/etch/

I will give it a bit more testing later on tonight.

-- 
Need a kernel or Debian developer?  Contact me, I'm looking for contracts.




Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #32 received at 464756@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@queued.net>
To: Steve Kemp <skx@debian.org>
Cc: 464756@bugs.debian.org, team@security.debian.org
Subject: Re: kazehakase security fix patch
Date: Tue, 15 Apr 2008 21:36:13 -0400
On Tue, 15 Apr 2008 18:31:05 -0400
Andres Salomon <dilinger@queued.net> wrote:

> On Tue, 15 Apr 2008 20:52:08 +0100
> Steve Kemp <skx@debian.org> wrote:
> 
> > On Tue Apr 15, 2008 at 15:46:02 -0400, Andres Salomon wrote:
> > 
> > > I'd rather see kaz linked against the system's pcre;
> > > it's much easier to deal w/.  Does the security team agree?
> > 
> >   Definitely!
> > 
> > Steve
> 
> 
> Cool.  The package is here:
> 
> http://people.debian.org/~dilinger/security/kazehakase/etch/
> 
> I will give it a bit more testing later on tonight.
> 

...Looks okay to me.


-- 
Need a kernel or Debian developer?  Contact me, I'm looking for contracts.




Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #37 received at 464756@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Andres Salomon <dilinger@queued.net>
Cc: 464756@bugs.debian.org, team@security.debian.org
Subject: Re: kazehakase security fix patch
Date: Thu, 17 Apr 2008 21:34:44 +0100
On Tue Apr 15, 2008 at 21:36:13 -0400, Andres Salomon wrote:

> > Cool.  The package is here:
> > 
> > http://people.debian.org/~dilinger/security/kazehakase/etch/
> > 
> > I will give it a bit more testing later on tonight.

  Thanks.  I'll upload this tomorrow.  I assume this will
 be handled in the same way for Lenny / Sid?

Steve
-- 




Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #42 received at 464756@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@queued.net>
To: Steve Kemp <skx@debian.org>
Cc: 464756@bugs.debian.org, team@security.debian.org
Subject: Re: kazehakase security fix patch
Date: Thu, 17 Apr 2008 19:24:52 -0400
On Thu, 17 Apr 2008 21:34:44 +0100
Steve Kemp <skx@debian.org> wrote:

> On Tue Apr 15, 2008 at 21:36:13 -0400, Andres Salomon wrote:
> 
> > > Cool.  The package is here:
> > > 
> > > http://people.debian.org/~dilinger/security/kazehakase/etch/
> > > 
> > > I will give it a bit more testing later on tonight.
> 
>   Thanks.  I'll upload this tomorrow.  I assume this will
>  be handled in the same way for Lenny / Sid?
> 
> Steve

It's already fixed in lenny and sid.  Upstream had stopped using
the pcre portion of libegg (sometime around the 0.5.1 or so).

-- 
Need a kernel or Debian developer?  Contact me, I'm looking for contracts.




Bug marked as fixed in version 0.4.2-1etch1, send any further explanations to Andres Salomon <dilinger@queued.net> Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Wed, 07 May 2008 10:24:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #49 received at 464756@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@deb.at>
To: Andres Salomon <dilinger@queued.net>, 464756@bugs.debian.org
Subject: Re: Bug#464756: kazehakase security advisory
Date: Fri, 9 May 2008 11:07:21 +0200
On Tue, Feb 26, 2008 at 12:26:51PM -0500, Andres Salomon wrote:
> This is now fixed in unstable (and soon testing, once it builds for all
> architectures).

 Can you please send a fixed to control with the specific version it was
fixed in unstable? From reading the changelog I'm not even sure which
version it would refer to, should it be 0.5.2-1?

 Thanks,
Rhonda




Bug marked as fixed in version 0.5.2-1. Request was from Gerfried Fuchs <rhonda@deb.at> to control@bugs.debian.org. (Fri, 09 May 2008 10:27:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug#464756; Package kazehakase. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
Extra info received and forwarded to list. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>. Full text and rfc822 format available.

Message #56 received at 464756@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@queued.net>
To: Gerfried Fuchs <rhonda@deb.at>
Cc: 464756@bugs.debian.org
Subject: Re: Bug#464756: kazehakase security advisory
Date: Fri, 9 May 2008 14:09:44 -0400
On Fri, 9 May 2008 11:07:21 +0200
Gerfried Fuchs <rhonda@deb.at> wrote:

> On Tue, Feb 26, 2008 at 12:26:51PM -0500, Andres Salomon wrote:
> > This is now fixed in unstable (and soon testing, once it builds for
> > all architectures).
> 
>  Can you please send a fixed to control with the specific version it
> was fixed in unstable? From reading the changelog I'm not even sure
> which version it would refer to, should it be 0.5.2-1?
> 
>  Thanks,
> Rhonda

That's correct, it was fixed upstream in 0.5.1 (I see you already
marked it as such, thanks!)




Reply sent to Andres Salomon <dilinger@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Andres Salomon <dilinger@queued.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #61 received at 464756-close@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@debian.org>
To: 464756-close@bugs.debian.org
Subject: Bug#464756: fixed in kazehakase 0.4.2-1etch1
Date: Mon, 26 May 2008 19:52:43 +0000
Source: kazehakase
Source-Version: 0.4.2-1etch1

We believe that the bug you reported is fixed in the latest version of
kazehakase, which is due to be installed in the Debian FTP archive:

kazehakase_0.4.2-1etch1.diff.gz
  to pool/main/k/kazehakase/kazehakase_0.4.2-1etch1.diff.gz
kazehakase_0.4.2-1etch1.dsc
  to pool/main/k/kazehakase/kazehakase_0.4.2-1etch1.dsc
kazehakase_0.4.2-1etch1_i386.deb
  to pool/main/k/kazehakase/kazehakase_0.4.2-1etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464756@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilinger@debian.org> (supplier of updated kazehakase package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 15 Apr 2008 21:59:51 +0000
Source: kazehakase
Binary: kazehakase
Architecture: source i386
Version: 0.4.2-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Hidetaka Iwai <tyuyu@debian.or.jp>
Changed-By: Andres Salomon <dilinger@debian.org>
Description: 
 kazehakase - gecko based web browser using GTK
Closes: 464756
Changes: 
 kazehakase (0.4.2-1etch1) stable-security; urgency=high
 .
   * Stop building against the bundled PCRE (v4.5) library, and instead
     build against the system's PCRE (v6.7) library.  This fixes a
     security problem in kazehakase's PCRE that has already been fixed
     in Debian's pcre3 packages (closes: #464756).
Files: 
 5790484519d4c37f98786f919c1f7c63 812 web optional kazehakase_0.4.2-1etch1.dsc
 ad0a075794227ada15c2a23a8409b1cf 29415 web optional kazehakase_0.4.2-1etch1.diff.gz
 8e8926f7cccb7416cf4e21d94bf5b2a8 755702 web optional kazehakase_0.4.2-1etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD4DBQFIBSokOmXwGc/ULyYRAoOgAJ9VE12EzLT7vuDQAndODVHL1XR+3ACYi8fo
ufxp9w370AtNKQY6awD+5w==
=u7kN
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 24 Jun 2008 07:33:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:11:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.