Bug#450754: vfu: Embeds a copy of pcre
Hi Cyril, * Cyril Brulebois <[EMAIL PROTECTED]> [2007-11-16 04:53]: > (And now actually attaching the patch???) [...] > From that point of view, it sounds sufficient to remove the -I/-L > referring to the package's pcre in some files, as suggested in the > attached patch, and to B-D on libpcre3-dev. As a result, a Depends: on > libpcre3 is indeed added, which is due to the: > NEEDED libpcre.so.3 > entry in /usr/bin/vfu, as expected. [...] Any news on this? I can sponsor an NMU if you want. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpGZcIbb3xt9.pgp Description: PGP signature
Bug#450754: vfu: Embeds a copy of pcre
Package: vfu Severity: grave Tags: security Justification: user security hole vfu embeds a copy of pcre. There's been a recent security update for pcre (DSA-1399). (I'm not sure if vfu's pcre processes untrusted regexps or if it's all user-controlled. In that case it's not a security problem, but should still be fixed for cleanliness): You should fix the vfu package to link against a shared library version of PCRE. (The packaging also appears a bit messy, e.g. the old binaries in the source package: drwxr-xr-x 2 jmm jmm 4.0K Jun 5 2005 .OBJ.libvscon.a drwxr-xr-x 2 jmm jmm 4.0K Jun 5 2005 .OBJ.libvslib.a drwxr-xr-x 2 jmm jmm 4.0K Jun 5 2005 .OBJ.test ) Cheers, Moritz -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-2-686 (SMP w/1 CPU core) Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#450754: vfu: Embeds a copy of pcre
(And now actually attaching the patch…) Moritz Muehlenhoff <[EMAIL PROTECTED]> (09/11/2007): > Package: vfu > Severity: grave > Tags: security > Justification: user security hole > > vfu embeds a copy of pcre. There's been a recent security update for > pcre (DSA-1399). (I'm not sure if vfu's pcre processes untrusted > regexps or if it's all user-controlled. In that case it's not a > security problem, but should still be fixed for cleanliness): You > should fix the vfu package to link against a shared library version of > PCRE. From that point of view, it sounds sufficient to remove the -I/-L referring to the package's pcre in some files, as suggested in the attached patch, and to B-D on libpcre3-dev. As a result, a Depends: on libpcre3 is indeed added, which is due to the: NEEDED libpcre.so.3 entry in /usr/bin/vfu, as expected. For the records, this package is also affected by the menu transition: W: vfu: menu-item-uses-apps-section /usr/share/menu/vfu:2 W: vfu: menu-item-creates-new-section Apps/Tools /usr/share/menu/vfu:2 Cheers, -- Cyril Brulebois --- vfu-4.06.orig/vslib/makefile +++ vfu-4.06/vslib/makefile @@ -41,7 +41,7 @@ LD_1 = g++ AR_1 = ar rv RANLIB_1 = ranlib -CCFLAGS_1 = -I. -Ipcre -O2 $(CCDEF) +CCFLAGS_1 = -I. -O2 $(CCDEF) LDFLAGS_1 = $(LDDEF) DEPFLAGS_1 = ARFLAGS_1 = @@ -130,7 +130,7 @@ LD_2 = g++ AR_2 = ar rv RANLIB_2 = ranlib -CCFLAGS_2 = -I. -Ipcre -I/usr/include/ncurses -O2 $(CCDEF) +CCFLAGS_2 = -I. -I/usr/include/ncurses -O2 $(CCDEF) LDFLAGS_2 = $(LDDEF) DEPFLAGS_2 = ARFLAGS_2 = @@ -236,16 +236,16 @@ ### MODULES modules: - make -C pcre + true clean-modules: - make -C pcre clean + true rebuild-modules: - make -C pcre rebuild + true link-modules: - make -C pcre link + true ### MAKEMAKE ENDS HERE # --- vfu-4.06.orig/vfu/mm.conf +++ vfu-4.06/vfu/mm.conf @@ -9,6 +9,6 @@ CC = g++ LD = g++ -CCFLAGS = -I../vslib -I../vslib/pcre -I/usr/include/ncurses -O2 $(CCDEF) -LDFLAGS = -L../vslib -L../vslib/pcre -lvslib -lvscon -lpcre -lncurses $(LDDEF) +CCFLAGS = -I../vslib -I/usr/include/ncurses -O2 $(CCDEF) +LDFLAGS = -L../vslib -lvslib -lvscon -lpcre -lncurses $(LDDEF) SRC = *.cpp --- vfu-4.06.orig/vfu/makefile +++ vfu-4.06/vfu/makefile @@ -40,8 +40,8 @@ LD_1 = g++ AR_1 = ar rv RANLIB_1 = ranlib -CCFLAGS_1 = -I../vslib -I../vslib/pcre -I/usr/include/ncurses -O2 $(CCDEF) -LDFLAGS_1 = -L../vslib -L../vslib/pcre -lvslib -lvscon -lpcre -lncurses $(LDDEF) +CCFLAGS_1 = -I../vslib -I/usr/include/ncurses -O2 $(CCDEF) +LDFLAGS_1 = -L../vslib -lvslib -lvscon -lpcre -lncurses $(LDDEF) DEPFLAGS_1 = ARFLAGS_1 = TARGET_1 = vfu pgpeZnTm397Cu.pgp Description: PGP signature
Bug#450754: vfu: Embeds a copy of pcre
tag 450754 patch thanks Moritz Muehlenhoff <[EMAIL PROTECTED]> (09/11/2007): > Package: vfu > Severity: grave > Tags: security > Justification: user security hole > > vfu embeds a copy of pcre. There's been a recent security update for > pcre (DSA-1399). (I'm not sure if vfu's pcre processes untrusted > regexps or if it's all user-controlled. In that case it's not a > security problem, but should still be fixed for cleanliness): You > should fix the vfu package to link against a shared library version of > PCRE. From that point of view, it sounds sufficient to remove the -I/-L referring to the package's pcre in some files, as suggested in the attached patch, and to B-D on libpcre3-dev. As a result, a Depends: on libpcre3 is indeed added, which is due to the: NEEDED libpcre.so.3 entry in /usr/bin/vfu, as expected. For the records, this package is also affected by the menu transition: W: vfu: menu-item-uses-apps-section /usr/share/menu/vfu:2 W: vfu: menu-item-creates-new-section Apps/Tools /usr/share/menu/vfu:2 Cheers, -- Cyril Brulebois pgpRESjJaLAQa.pgp Description: PGP signature
Processed: Re: Bug#450754: vfu: Embeds a copy of pcre
Processing commands for [EMAIL PROTECTED]: > tag 450754 patch Bug#450754: vfu: Embeds a copy of pcre Tags were: security Tags added: patch > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
