First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 198979
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 198979 depends on: Show dependency tree
Bug 198979 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-11-12 22:42 0000 
Chicken ships a copy of PCRE which is vulnerable to several security issues as
pointed out in bug #198198.

Highest curent stable (1.89) is unaffected as it contains a selfmade PCRE
implementation in Scheme.
However, all unstable 2.X versions contain copies of the 6.X series of PCRE.

PCRE 7.3 fixes the issues mentioned.

scheme herd, please advise on the following questions:
* What is PCRE in Chicken used for?
* Would it be feasible to compile against the system PCRE, it is not possible
right now and the dependancy on dev-libs/libpcre seems bogus to me.
* Is upstream aware of the issues and what is the best road to fix this in
Gentoo?

------- Comment #1 From Marijn Schouten 2007-11-21 21:49:03 0000 ------- 
Upstream has included new unaffected libpcre in their recent releases, but
those don't build at this time. I've discussed with Robert and decided to
package mask the current versions. Hopefully we'll have a new version available
soon.

------- Comment #2 From Marijn Schouten 2007-11-28 17:22:34 0000 ------- 
I've just committed chicken-2.731. The problem was with portage exporting O,
which it doesn't do anymore for >=portage-2.1.4_rc4.

------- Comment #3 From Robert Buchholz 2007-11-29 00:01:11 0000 ------- 
Does this ebuild work around the "0 problem" or is it not working with stable
portage?
Is it a candidate for stabling, or would you rather wait some more days?

------- Comment #4 From Marijn Schouten 2007-11-29 12:00:40 0000 ------- 
No, it doesn't work around the O problem, so I don't think it will work with
stable portage.

------- Comment #5 From Pierre-Yves Rofes 2007-12-14 15:57:53 0000 ------- 
any news here?

------- Comment #6 From Robert Buchholz 2007-12-22 13:52:44 0000 ------- 
Marijn, which version of Portage is this issue fixed in? Do you have a Portage
bug for reference? I feel a little lost how to handle this thing right now.

------- Comment #7 From Marijn Schouten 2007-12-24 12:23:43 0000 ------- 
The issue is fixed as of >=portage-2.1.4_rc4. I didn't file any bug for it.
Zmedico probably remembers though.

------- Comment #8 From Christian Faulhammer 2008-03-23 08:57:15 0000 ------- 
The right version for Portage is stabilised already.  For bug 209052 a newer
chicken version is needed stable, so we can go with that?  Or do you want to
handle chicken here and swig there?

------- Comment #9 From Christian Faulhammer 2008-03-23 10:57:21 0000 ------- 
chicken 3.0.0 is not going to be stable.  We'll have to wait some more. :)

------- Comment #10 From Marijn Schouten 2008-04-13 14:52:05 0000 ------- 
I'm happy to have chicken-3.1.0 stabled now.

------- Comment #11 From Pierre-Yves Rofes 2008-05-12 11:47:03 0000 ------- 
(In reply to comment #10)
> I'm happy to have chicken-3.1.0 stabled now.
> 

hmm sorry, It seems to have been stabled in the meanwhile. So I guess we can
move forward to the glsa part.

------- Comment #12 From Pierre-Yves Rofes 2008-05-12 21:08:52 0000 ------- 
GLSA 200805-11
First Last Prev Next    No search results available      Search page      Enter new bug