Bug 31791 - pcre unfixed security issue CVE-2017-11164
Summary: pcre unfixed security issue CVE-2017-11164
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: High normal
Target Milestone: Mageia 10
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-13 17:02 CEST by David Walser
Modified: 2023-06-21 18:02 CEST (History)
4 users (show)

See Also:
Source RPM: pcre-8.45-3.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-13 17:02:08 CEST 
A note about an unfixed old security issue in pcre was sent out on April 11:
https://www.openwall.com/lists/oss-security/2023/04/11/1

As noted there, we should link any remaining packages that are still linked to old pcre to pcre2 instead.  If anything still hasn't been ported, it should probably be dropped.
David Walser 2023-04-13 17:02:23 CEST

Target Milestone: --- => Mageia 9
Priority: Normal => release_blocker

Comment 1 Lewis Smith 2023-04-13 21:31:17 CEST 
Assigning this gmlobally in the absence of one obvious packager.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2023-06-06 11:02:42 CEST 
We should first list the packages to rebuild/fix.

CC: (none) => mageia

Comment 3 Stig-Ørjan Smelror 2023-06-06 15:41:27 CEST 
I know David Geiger has been doing a lot, however there are still some packages that require pcre (see Kodi).
I asked the Kodi devs, but they basically dismissed my request and asked for a PR. Since I'm no programmer, there is nothing I can do.

CC: (none) => smelror

Comment 4 David GEIGER 2023-06-06 23:16:17 CEST 
Remaining packages which still are linked to pcre1 and have no upstream fix for now are:

$ urpmq --whatrequires lib64pcre1
aifad
coccinelle
cppcheck
ivan
kodi
latex_of_wiki
389-ds-base
cegui
harbour
kjs
lib64kjs4
mp3splt
opencollada
openscap
nmap
ocaml-pcre
privoxy
python3-qutepart
python3-scss
root-core
shadowsocks-libev
sniproxy
snort
stepmania
suricata
syslog-ng
wml
xfce4-verve-plugin
xymon
zrythm
zsh

CC: (none) => geiger.david68210

Comment 5 Stig-Ørjan Smelror 2023-06-07 11:59:43 CEST 
zsh update pushed to use pcre2 instead of pcre1.
Comment 6 Stig-Ørjan Smelror 2023-06-08 07:08:09 CEST 
(In reply to Stig-Ørjan Smelror from comment #5)
> zsh update pushed to use pcre2 instead of pcre1.

Too optimistic. zsh git master supports pcre2, not 5.9...
Anyway, zsh is now compiled without pcre support which may limit its features (for now).
Comment 7 Morgan Leijström 2023-06-21 10:25:55 CEST 
> an unfixed old security issue


> Kodi devs, but they basically dismissed my request


> Remaining packages which still are linked to pcre1 and have no upstream fix
...


I think sometimes we just cant be better than everybody else and repair the whole world...

Can we drop this from blocker?

CC: (none) => fri

Comment 8 David Walser 2023-06-21 14:54:07 CEST 
As long as we've addressed it to the extent we can for now.  We'll need to mark it as a blocker again for Mageia 10.
Comment 9 Morgan Leijström 2023-06-21 18:02:59 CEST 
OK the more we fix it the better, 
but do not let it delay mga9 release.

Target Milestone: Mageia 9 => Mageia 10
Priority: release_blocker => High
Note You need to log in before you can comment on or make changes to this bug.