(And now actually attaching the patch…) Moritz Muehlenhoff <[EMAIL PROTECTED]> (09/11/2007): > Package: vfu > Severity: grave > Tags: security > Justification: user security hole > > vfu embeds a copy of pcre. There's been a recent security update for > pcre (DSA-1399). (I'm not sure if vfu's pcre processes untrusted > regexps or if it's all user-controlled. In that case it's not a > security problem, but should still be fixed for cleanliness): You > should fix the vfu package to link against a shared library version of > PCRE.
From that point of view, it sounds sufficient to remove the -I/-L referring to the package's pcre in some files, as suggested in the attached patch, and to B-D on libpcre3-dev. As a result, a Depends: on libpcre3 is indeed added, which is due to the: NEEDED libpcre.so.3 entry in /usr/bin/vfu, as expected. For the records, this package is also affected by the menu transition: W: vfu: menu-item-uses-apps-section /usr/share/menu/vfu:2 W: vfu: menu-item-creates-new-section Apps/Tools /usr/share/menu/vfu:2 Cheers, -- Cyril Brulebois
--- vfu-4.06.orig/vslib/makefile +++ vfu-4.06/vslib/makefile @@ -41,7 +41,7 @@ LD_1 = g++ AR_1 = ar rv RANLIB_1 = ranlib -CCFLAGS_1 = -I. -Ipcre -O2 $(CCDEF) +CCFLAGS_1 = -I. -O2 $(CCDEF) LDFLAGS_1 = $(LDDEF) DEPFLAGS_1 = ARFLAGS_1 = @@ -130,7 +130,7 @@ LD_2 = g++ AR_2 = ar rv RANLIB_2 = ranlib -CCFLAGS_2 = -I. -Ipcre -I/usr/include/ncurses -O2 $(CCDEF) +CCFLAGS_2 = -I. -I/usr/include/ncurses -O2 $(CCDEF) LDFLAGS_2 = $(LDDEF) DEPFLAGS_2 = ARFLAGS_2 = @@ -236,16 +236,16 @@ ### MODULES #################################################################### modules: - make -C pcre + true clean-modules: - make -C pcre clean + true rebuild-modules: - make -C pcre rebuild + true link-modules: - make -C pcre link + true ### MAKEMAKE ENDS HERE ######################################################### --- vfu-4.06.orig/vfu/mm.conf +++ vfu-4.06/vfu/mm.conf @@ -9,6 +9,6 @@ CC = g++ LD = g++ -CCFLAGS = -I../vslib -I../vslib/pcre -I/usr/include/ncurses -O2 $(CCDEF) -LDFLAGS = -L../vslib -L../vslib/pcre -lvslib -lvscon -lpcre -lncurses $(LDDEF) +CCFLAGS = -I../vslib -I/usr/include/ncurses -O2 $(CCDEF) +LDFLAGS = -L../vslib -lvslib -lvscon -lpcre -lncurses $(LDDEF) SRC = *.cpp --- vfu-4.06.orig/vfu/makefile +++ vfu-4.06/vfu/makefile @@ -40,8 +40,8 @@ LD_1 = g++ AR_1 = ar rv RANLIB_1 = ranlib -CCFLAGS_1 = -I../vslib -I../vslib/pcre -I/usr/include/ncurses -O2 $(CCDEF) -LDFLAGS_1 = -L../vslib -L../vslib/pcre -lvslib -lvscon -lpcre -lncurses $(LDDEF) +CCFLAGS_1 = -I../vslib -I/usr/include/ncurses -O2 $(CCDEF) +LDFLAGS_1 = -L../vslib -lvslib -lvscon -lpcre -lncurses $(LDDEF) DEPFLAGS_1 = ARFLAGS_1 = TARGET_1 = vfu
pgpeZnTm397Cu.pgp
Description: PGP signature
