R ships a copy of PCRE which is vulnerable to several security issues as pointed out in bug #198198. Highes curent stable is: 2.2.1: PCRE Version 6.2 2.6.0: Version 7.2 PCRE 7.3 fixes the issues mentioned. R has no newer version shipping it. Sci herd, could you advise on the following questions: * What is PCRE in R used for? * Would it be feasible to require and compile against the system PCRE (possible in configure) -- same question for the other libraries R needs (and includes) * Is upstream aware of the issues and what is the best road to fix this in Gentoo?
> Sci herd, could you advise on the following questions: > * What is PCRE in R used for? Probably for re's in R. > * Would it be feasible to require and compile against the system PCRE (possible > in configure) -- same question for the other libraries R needs (and includes) yes. > * Is upstream aware of the issues and what is the best road to fix this in > Gentoo? Upstream has updated to pcre-7.4 for their next R release. Meanwhile, I have updated the ebuilds to use the system libs, not just pcre. Waiting for other sci team members to answer since I'm not a R user.
(In reply to comment #1) > Waiting for other sci team members to answer since I'm not a R user. Did you intend to do a straight to stable bump? If not, you should revert the keywords and ping us if you think it's good.
> Did you intend to do a straight to stable bump? > > If not, you should revert the keywords and ping us if you think it's good. It was intended: I followed blindly the gentoo developer handbook part 5.e. I did not realize it wasn't the proper way, sorry about that. Anyway, this is now reverted: ping.
The handbook could be clearer on that, I agree. It is meant that there's no need to wait 30 days with security fixes, but we still require the arch teams to test. Arches, please test and mark stable dev-lang/R-2.2.1-r1. Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Stable on sparc. This version of R seems ancient (I'm up to the R-2.6.xx series on my systems).
(In reply to comment #5) > Stable on sparc. This version of R seems ancient (I'm up to the R-2.6.xx > series on my systems). > It is very rather old (it was released around the end Dec-2005). For what its worth I've been using R-2.6.0 (and intermediate versions as ebuilds have been updated) since its release without any problems on three x86 systems and haven't had any crashes.
This bug is for stabling a non-vulnerable version of R. It is up to the maintainers to decide *which* version that should be. While I agree that a newer version could be more suited, if the maintainers don't agree, please open a new stabling bug.
x86 stable, please note: dodoc: BUGS does not exist
ia64 stable
ppc64 stable
ppc stable
amd64 done...
request filed.
GLSA 200801-02, sorry for the delay
*** Bug 205201 has been marked as a duplicate of this bug. ***