[Buildroot] [2020.02.x] package/pcre: security bump to 8.44

Peter Korsgaard peter at korsgaard.com
Wed Jul 22 21:09:26 UTC 2020


>>>>> "Matthew" == Matthew Weber <matthew.weber at rockwellcollins.com> writes:

 > Thomas,
 > On Tue, Jul 14, 2020 at 3:09 PM Thomas Petazzoni
 > <thomas.petazzoni at bootlin.com> wrote:
 >> 
 >> On Tue, 14 Jul 2020 14:40:08 -0500
 >> Matt Weber <matthew.weber at rockwellcollins.com> wrote:
 >> 
 >> >  * 0001-Kill-compatibility-bits.patch had a bugfix for the lcc
 >> >    compiler (https://vcs.pcre.org/pcre/code/trunk/pcrecpp.cc?r1=1735&r2=1752&pathrev=1763)
 >> >  * License file updated copyright date
 >> >
 >> > Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
 >> 
 >> There is already a bump to 8.44 in master. Why do you send a separate
 >> patch doing the same thing, but for 2020.02.x ?
 >> 

 > Agree, not needed.  I realized this afterwards.

 >> I think in this kind of case, we should instead reply to the commit
 >> e-mail, and ask Peter to backport it to 2020.02.x.

 > I just checked and it was old enough that I don't have the original
 > commit email.

 >> 
 >> However, you label it as a security bump, without saying which
 >> vulnerability is being fixed. The original version bump commit did not
 >> label it as a security bump.

 > Agree, should have included:

 > CVE-2020-14155
 > libpcre in PCRE before 8.44 allows an integer overflow via a large
 > number after a (?C substring.

Committed to 2020.02.x with a reference to that CVE, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list