| Summary: | pcre is bundled with mariadb-10.x | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Oden Eriksson <oe> |
| Component: | RPM Packages | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | pcre | CVE: | |
| Status comment: | |||
| Attachments: | The stack guard patch | ||
Created attachment 4965 [details]
The stack guard patch
This has now been implemented upstream HEAD in r1454. svn diff -r1453:1454 svn://vcs.exim.org/pcre/code/trunk This has now been added in Mageia Cauldron as of: http://svnweb.mageia.org/packages?view=revision&revision=594784 This was fixed long ago, closing. Status:
NEW =>
RESOLVED |
The whole pcre code is bundled with mariadb-10.x which could pose future security problems. In Mandriva/Mageia we avoid using built bundled copies of common system wide provided libraries as much as possible. This gives us the obvious benefit of that we don't have to patch a large number of softwares should a security flaw be known in for example pcre. With the latest MariaDB-10.x, pcre-8.34 is bundled with the source with changes to pcre that eliminates the chance of anyone crashing the server with a simple " SELECT a RLIKE REPEAT('(', 1000);" statement. https://blog.mariadb.org/mariadb-upgrades-to-pcre-8-34/ I asked Sergei Golubchik at MariaDB for a clean patch for pcre-8.34 which he provided. The patch also fixes a build problem (pcre-8.34/pcre_compile.c:7997: undefined reference to `pcre_stack_guard') we discovered on friday using the "-Wl,--no-undefined" gcc switch and using the mageia pcre source rpm package. The patch is attached to this bug and applies cleanly to pcre-8.34. Our hope is that this patch will be accepted by pcre upstream which will allow MariaDB-10.x to be built with system pcre libs. This will probably be appreciated by most OpenSource based distributions due to the reasons stated above. Cheers. Reproducible: Steps to Reproduce: