Re: [Chicken-hackers] multiple issues in embedded PCRE

[John Cowan]

Marijn Schouten (hkBst) scripsit:

> chicken ships its own copy of libpcre which has multiple vulnerabilities
> <http://secunia.com/advisories/27543/>.

It should definitely be upgraded, then.

> Issues such as this one are the reason why local copies of libraries are bad.
> Currently there doesn't seem to be an option to build against the system
> libraries though.

On non-Gentoo systems, it's extremely common for buggy and vulnerable
libraries to remain around for years.  Since that's the normal case, we
adapt to it by packaging pcre.  Indeed, that's the only way to guarantee
i14y, since sufficiently old libpcre's don't even expose the same API.

-- 
John Cowan    http://ccil.org/~cowan    address@hidden
SAXParserFactory [is] a hideous, evil monstrosity of a class that should
be hung, shot, beheaded, drawn and quartered, burned at the stake,
buried in unconsecrated ground, dug up, cremated, and the ashes tossed
in the Tiber while the complete cast of Wicked sings "Ding dong, the
witch is dead."  --Elliotte Rusty Harold on xml-dev