The whole pcre code is bundled with mariadb-10.x which could pose future security problems. In Mandriva/Mageia we avoid using built bundled copies of common system wide provided libraries as much as possible. This gives us the obvious benefit of that we don't have to patch a large number of softwares should a security flaw be known in for example pcre. With the latest MariaDB-10.x, pcre-8.34 is bundled with the source with changes to pcre that eliminates the chance of anyone crashing the server with a simple " SELECT a RLIKE REPEAT('(', 1000);" statement. https://blog.mariadb.org/mariadb-upgrades-to-pcre-8-34/ I asked Sergei Golubchik at MariaDB for a clean patch for pcre-8.34 which he provided. The patch also fixes a build problem (pcre-8.34/pcre_compile.c:7997: undefined reference to `pcre_stack_guard') we discovered on friday using the "-Wl,--no-undefined" gcc switch and using the mageia pcre source rpm package. The patch is attached to this bug and applies cleanly to pcre-8.34. Our hope is that this patch will be accepted by pcre upstream which will allow MariaDB-10.x to be built with system pcre libs. This will probably be appreciated by most OpenSource based distributions due to the reasons stated above. Cheers. Reproducible: Steps to Reproduce:
Created attachment 4965 [details] The stack guard patch
This has now been implemented upstream HEAD in r1454. svn diff -r1453:1454 svn://vcs.exim.org/pcre/code/trunk
This has now been added in Mageia Cauldron as of: http://svnweb.mageia.org/packages?view=revision&revision=594784
https://mariadb.atlassian.net/browse/MDEV-5620
http://bazaar.launchpad.net/~maria-captains/maria/10.0/revision/4025
This was fixed long ago, closing.
Status: NEW => RESOLVEDResolution: (none) => FIXED