tag 450754 patch thanks Moritz Muehlenhoff <[EMAIL PROTECTED]> (09/11/2007): > Package: vfu > Severity: grave > Tags: security > Justification: user security hole > > vfu embeds a copy of pcre. There's been a recent security update for > pcre (DSA-1399). (I'm not sure if vfu's pcre processes untrusted > regexps or if it's all user-controlled. In that case it's not a > security problem, but should still be fixed for cleanliness): You > should fix the vfu package to link against a shared library version of > PCRE.
From that point of view, it sounds sufficient to remove the -I/-L referring to the package's pcre in some files, as suggested in the attached patch, and to B-D on libpcre3-dev. As a result, a Depends: on libpcre3 is indeed added, which is due to the: NEEDED libpcre.so.3 entry in /usr/bin/vfu, as expected. For the records, this package is also affected by the menu transition: W: vfu: menu-item-uses-apps-section /usr/share/menu/vfu:2 W: vfu: menu-item-creates-new-section Apps/Tools /usr/share/menu/vfu:2 Cheers, -- Cyril Brulebois
pgpRESjJaLAQa.pgp
Description: PGP signature
