Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835796 - dev-libs/libpcre2 - drop recursion-limit USE flag
Summary: dev-libs/libpcre2 - drop recursion-limit USE flag
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-03-22 12:06 UTC by Kobboi
Modified: 2022-03-23 03:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kobboi 2022-03-22 12:06:10 UTC
As part of a regular gnome install, I need to unset recursion-limit on dev-libs/libpcre2

The following USE changes are necessary to proceed:
 (see "package.use" in the portage(5) man page for more details)
# required by gui-libs/gtksourceview-5.4.0::gentoo
# required by gnome-extra/gnome-calculator-42.0::gentoo
# required by gnome-base/gnome-extra-apps-40.0::gentoo
# required by gnome-base/gnome-40.0::gentoo[extras]
# required by @kobboi-package-nice-desktop
# required by @kobboi-machine-samsonov
# required by @kobboi-all-machines
# required by @kobboi-all-packages
# required by @selected
# required by @world (argument)
>=dev-libs/libpcre2-10.39 -recursion-limit

Not sure what the policy is making such a change in a profile or even a package, but from discussing with leio:

(12:55:34) leio: there were no objections on IRC on just dropping this legacy USE=recursion-limit with no good reasoning given, but I didn't follow-up on it yet with a bugzilla entry or more poking to get it removed by base-system@
(12:56:29) leio: I wasn't aware it got unmasked without that
(12:58:47) leio: floppym_ and sam_ should know what's up, maybe a bug to make sure it gets sorted

So here's the bug :)

Reproducible: Always
Comment 1 Mart Raudsepp gentoo-dev 2022-03-22 12:24:12 UTC
Consider libpcre as well, which has the same unexplained legacy limitation. Albeit maybe there the security considerations are more real, dunno. For GNOME we need to get rid of it on libpcre2 or at least significantly increase the limit from USE=recursion-limit from current 8k to at least 4 times more, but probably more like 10+ times more to be safe.
Looked like making it just always do what upstream would do (MATCH_LIMIT instead of 8096), at least for libpcre2, had an initial agreement, hence I had made gtksourceview have a "libpcre2[-recursion-limit(-)]" dep already
Comment 2 Larry the Git Cow gentoo-dev 2022-03-22 15:12:57 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=713db8fe4e7363c39fadb7e10396e8d32b519ab1

commit 713db8fe4e7363c39fadb7e10396e8d32b519ab1
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2022-03-22 14:27:08 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2022-03-22 15:12:42 +0000

    dev-libs/libpcre2: drop 'recursion-limit' USE flag
    
    Closes: https://bugs.gentoo.org/835796
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 dev-libs/libpcre2/{libpcre2-10.39.ebuild => libpcre2-10.39-r1.ebuild} | 3 +--
 dev-libs/libpcre2/metadata.xml                                        | 4 ----
 2 files changed, 1 insertion(+), 6 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f140c24292730f0fc225ff6683589fc84d63a45

commit 0f140c24292730f0fc225ff6683589fc84d63a45
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2022-03-22 14:29:43 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2022-03-22 15:12:42 +0000

    dev-libs/libpcre: drop 'recursion-limit' USE flag
    
    Bug: https://bugs.gentoo.org/835796
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 dev-libs/libpcre/{libpcre-8.45.ebuild => libpcre-8.45-r1.ebuild} | 5 ++---
 dev-libs/libpcre/metadata.xml                                    | 4 ----
 2 files changed, 2 insertions(+), 7 deletions(-)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-23 02:57:30 UTC
Some more context from #gentoo-base (before Kobboi's snippet from #gentoo-desktop):

"""
[17:37:55]  <+leio> !meta -v libpcre2
[17:37:56]  <willikins> leio: dev-libs/libpcre2; maintainers: base-system
[17:37:57]  <willikins> leio: (base-system@gentoo.org) chutzpah, dilfridge, floppym, gyakovlev, mattst88, robbat2, sam, soap, vapier, whissi, williamh, zlogene
[17:38:08]  <+leio> what's the story with libpcre2 default USE=recursion-limit?
[17:38:24]  <+leio> I'm hitting https://gitlab.gnome.org/GNOME/gtksourceview/-/issues/255 due to it
[17:39:13]  <@sam_> https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/libpcre2?id=007fa4785d2ab60f839db2c84d850920e6d59604
[17:39:18]  <@sam_> been that way since addition
[17:40:10]  <+leio> it is carried over from libpcre
[17:40:32]  <+leio> where it was introduced before git
[17:43:49]  <+leio> https://gitweb.gentoo.org/repo/gentoo/historical.git/commit/?id=c515e5fab4f478dccf4089f49b67b6de886ba567
[17:44:13]  <+leio> https://bugs.gentoo.org/333355
[17:44:22]  <+leio> so then it was made an option to stop enforcing the low recursion limit
[17:45:06]  <+leio> why do we default to something other than upstream here, and why do we provide an option at all on this?
[17:48:22]  <@floppym> Very useful message by solar: https://gitweb.gentoo.org/archive/repo/gentoo-2.git/commit/?id=f1bcab5c478664dc2a701d901e0dc8534a0f036e
[17:49:43]  <@floppym> https://gitweb.gentoo.org/archive/repo/gentoo-2.git/commit/?id=902be2104016ab20b5ac5196b85d0fc7da123509
[17:50:34]  <@floppym> My only guess is that setting a limit prevents broken software from triggering infinite recursion.
[17:51:42]  <+leio> there's still a limit, 1 million or something
[17:51:47]  <@floppym> The upstream default appears to be 10000000.
[17:52:05]  <+leio> ok, 10 million
[17:52:43]  <@floppym> I don't see any references to relevant security bugs, so I think removing the flag and going with the upstream default would be fine.
[17:52:53]  <@mattst88> ++
[17:53:47]  <+leio> the test starts to pass if I raise it to 32768 (4 times bigger); still failed if made 16384
[17:54:48]  <@sam_> neither debian nor fedora bother with it either
[17:57:15]  <+leio> it's there for libpcre (1) too
[21:02:53]  <+leio> regarding libpcre2, I'm going to hard require libpcre2[-recursion-limit(-)] and it'll be extremely fun for users with gnome 42 then. I'll try to remember about filing bug tomorrow if someone doesn't follow up without meanwhile
"""