Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198979 - dev-scheme/chicken < 3.1.0 Multiple issues in embedded PCRE
Summary: dev-scheme/chicken < 3.1.0 Multiple issues in embedded PCRE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2? [glsa]
Depends on:
Reported: 2007-11-12 22:42 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-12 21:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-12 22:42:10 UTC
Chicken ships a copy of PCRE which is vulnerable to several security issues as pointed out in bug #198198.

Highest curent stable (1.89) is unaffected as it contains a selfmade PCRE implementation in Scheme.
However, all unstable 2.X versions contain copies of the 6.X series of PCRE.

PCRE 7.3 fixes the issues mentioned.

scheme herd, please advise on the following questions:
* What is PCRE in Chicken used for?
* Would it be feasible to compile against the system PCRE, it is not possible right now and the dependancy on dev-libs/libpcre seems bogus to me.
* Is upstream aware of the issues and what is the best road to fix this in
Comment 1 Marijn Schouten (RETIRED) gentoo-dev 2007-11-21 21:49:03 UTC
Upstream has included new unaffected libpcre in their recent releases, but those don't build at this time. I've discussed with Robert and decided to package mask the current versions. Hopefully we'll have a new version available soon.
Comment 2 Marijn Schouten (RETIRED) gentoo-dev 2007-11-28 17:22:34 UTC
I've just committed chicken-2.731. The problem was with portage exporting O, which it doesn't do anymore for >=portage-2.1.4_rc4.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-29 00:01:11 UTC
Does this ebuild work around the "0 problem" or is it not working with stable portage?
Is it a candidate for stabling, or would you rather wait some more days?
Comment 4 Marijn Schouten (RETIRED) gentoo-dev 2007-11-29 12:00:40 UTC
No, it doesn't work around the O problem, so I don't think it will work with stable portage.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-14 15:57:53 UTC
any news here?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 13:52:44 UTC
Marijn, which version of Portage is this issue fixed in? Do you have a Portage bug for reference? I feel a little lost how to handle this thing right now.
Comment 7 Marijn Schouten (RETIRED) gentoo-dev 2007-12-24 12:23:43 UTC
The issue is fixed as of >=portage-2.1.4_rc4. I didn't file any bug for it. Zmedico probably remembers though.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-23 08:57:15 UTC
The right version for Portage is stabilised already.  For bug 209052 a newer chicken version is needed stable, so we can go with that?  Or do you want to handle chicken here and swig there?
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-23 10:57:21 UTC
chicken 3.0.0 is not going to be stable.  We'll have to wait some more. :)
Comment 10 Marijn Schouten (RETIRED) gentoo-dev 2008-04-13 14:52:05 UTC
I'm happy to have chicken-3.1.0 stabled now.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-12 11:47:03 UTC
(In reply to comment #10)
> I'm happy to have chicken-3.1.0 stabled now.

hmm sorry, It seems to have been stabled in the meanwhile. So I guess we can move forward to the glsa part.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-12 21:08:52 UTC
GLSA 200805-11