Chicken ships a copy of PCRE which is vulnerable to several security issues as pointed out in bug #198198. Highest curent stable (1.89) is unaffected as it contains a selfmade PCRE implementation in Scheme. However, all unstable 2.X versions contain copies of the 6.X series of PCRE. PCRE 7.3 fixes the issues mentioned. scheme herd, please advise on the following questions: * What is PCRE in Chicken used for? * Would it be feasible to compile against the system PCRE, it is not possible right now and the dependancy on dev-libs/libpcre seems bogus to me. * Is upstream aware of the issues and what is the best road to fix this in Gentoo?
Upstream has included new unaffected libpcre in their recent releases, but those don't build at this time. I've discussed with Robert and decided to package mask the current versions. Hopefully we'll have a new version available soon.
I've just committed chicken-2.731. The problem was with portage exporting O, which it doesn't do anymore for >=portage-2.1.4_rc4.
Does this ebuild work around the "0 problem" or is it not working with stable portage? Is it a candidate for stabling, or would you rather wait some more days?
No, it doesn't work around the O problem, so I don't think it will work with stable portage.
any news here?
Marijn, which version of Portage is this issue fixed in? Do you have a Portage bug for reference? I feel a little lost how to handle this thing right now.
The issue is fixed as of >=portage-2.1.4_rc4. I didn't file any bug for it. Zmedico probably remembers though.
The right version for Portage is stabilised already. For bug 209052 a newer chicken version is needed stable, so we can go with that? Or do you want to handle chicken here and swig there?
chicken 3.0.0 is not going to be stable. We'll have to wait some more. :)
I'm happy to have chicken-3.1.0 stabled now.
(In reply to comment #10) > I'm happy to have chicken-3.1.0 stabled now. > hmm sorry, It seems to have been stabled in the meanwhile. So I guess we can move forward to the glsa part.
GLSA 200805-11