[Buildroot] [2020.02.x] package/pcre: security bump to 8.44

Matthew Weber matthew.weber at rockwellcollins.com
Tue Jul 14 20:15:00 UTC 2020


Thomas,


On Tue, Jul 14, 2020 at 3:09 PM Thomas Petazzoni
<thomas.petazzoni at bootlin.com> wrote:
>
> On Tue, 14 Jul 2020 14:40:08 -0500
> Matt Weber <matthew.weber at rockwellcollins.com> wrote:
>
> >  * 0001-Kill-compatibility-bits.patch had a bugfix for the lcc
> >    compiler (https://vcs.pcre.org/pcre/code/trunk/pcrecpp.cc?r1=1735&r2=1752&pathrev=1763)
> >  * License file updated copyright date
> >
> > Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
>
> There is already a bump to 8.44 in master. Why do you send a separate
> patch doing the same thing, but for 2020.02.x ?
>

Agree, not needed.  I realized this afterwards.

> I think in this kind of case, we should instead reply to the commit
> e-mail, and ask Peter to backport it to 2020.02.x.

I just checked and it was old enough that I don't have the original
commit email.

>
> However, you label it as a security bump, without saying which
> vulnerability is being fixed. The original version bump commit did not
> label it as a security bump.

Agree, should have included:

CVE-2020-14155
libpcre in PCRE before 8.44 allows an integer overflow via a large
number after a (?C substring.

Regards,
Matt


More information about the buildroot mailing list