glib since 2.14 ships a copy of PCRE which is be vulnerable to several security issues as pointed out in bug #198198. PCRE 7.3 fixes the issues mentioned, and it was included with glib 2.14.3. Gnome, since 2.14.3 is in the tree already, please remove the vulnerable version (2.14.2). My greatest urge: Can you please update your 2.14 ebuilds to add "--with-pcre=system" to configure, so the included copy of PCRE will not be compiled and used?
I'll leave this open to get a comment from gnome.
ok, so: a) I have removed 2.14.2 from the tree, now that no-one has reported 2.14.3 breaking anything otherwise during the few days b) A vulnerable glib has never been in the stable tree c) We can not just pass --with-pcre=system and loose the memory, unicode and other patches that are applied - not without knowing what we loose. Care to help find out?
I didn't know they shipped a *patched* version of PCRE. If you need it, I won't make you use the system version. What we'll lose is that we only have to security-support the PCRE in one place, so it would be good if those patches were introduced into PCRE upstream. For now, I'll note glib on our code copy list then and hope gnome upstream is responsive to all issues.
