|
Bugzilla – Full Text Bug Listing |
| Summary: | gnumeric - use system pcre | ||
|---|---|---|---|
| Product: | [openSUSE] SUSE LINUX 10.0 | Reporter: | Marcus Meissner <meissner> |
| Component: | GNOME | Assignee: | E-mail List <gnome-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Major | ||
| Priority: | P5 - None | CC: | security-team |
| Version: | Beta 3 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Marcus Meissner
2005-08-24 09:40:46 UTC
CVS HEAD version is fixed to use the system's pcre. Jody, can you backport this fix? rodrigo : cvs still uses a private copy of pcre. It's been moved into libgoffice. jpr : There is no fix to backport. Even if there was we should ship gnumeric-1.6 which will come out with gnome-2.12. marcus : gnumeric's pcre has a few upstream fixes for utf-8 support. The local copy is small and is not exposed. Why do we need to use the system copy ? the upstream pcre had a security ( integer overflow) problem. check https://bugzilla.novell.com/show_bug.cgi?id=106209 In general the system library should be used to avoid requiring updates for old versions if the library is affected by such seczurity issues. For gnumeric this is not necessary, since it will not take untrusted input usually. marcus : gnumeric syncs to the upstream copy and adds some utf-8 optimization. It would be nice to use the system version, but it would be a low priority. For now the only use of pcre is internal to gnumeric using regexps generated from value formats. While the formats may be user entered, they are only indirectly passed to pcre. It could be done, but I would rather not add a build dependency this close to a release. I've contacted the subsystem maintainer and he'll have a look after the release. no worries. getting it fixed from upstream is ok for gnumeric. |