Bug 1049227

Summary: erlang: substitute bundled pcre for the system pcre.
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Matwey Kornilov <matwey.kornilov>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: astieger, bwiedemann, cloud-bugs, matwey.kornilov, vpereira
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1049096    

Description Victor Pereira 2017-07-18 17:48:25 UTC 
Dear Maintainer,

The package erlang has PCRE bundled together with the source code. This is a problem for the security team, because we are not able to track and update the bundled libraries if a security vulnerability is found to this lib. If possible, please switch it to use pcre, pcre-devel as build requirements. Would it be possible to try it in the package erlang, for the erts/emulator? I see that similar action is already being done for zlib


Thank you,

Victor
Comment 1 Bernhard Wiedemann 2017-07-28 14:54:33 UTC 
for the record: I tested that it is as easy as adding
BuildRequires: pcre-devel
Comment 2 Andreas Stieger 2017-11-21 12:36:24 UTC 
Matwey, can you make the Factory package use the system pcre, please?
Comment 3 Matwey Kornilov 2017-11-21 12:38:46 UTC 
Sure. I'll handle this.
Comment 4 Andreas Stieger 2017-11-21 12:40:11 UTC 
(In reply to Bernhard Wiedemann from comment #1)
> for the record: I tested that it is as easy as adding
> BuildRequires: pcre-devel

In a local build, this does not seem to be sufficient.

(In reply to Matwey Kornilov from comment #3)
> Sure. I'll handle this.

Thanks, assigning the issue to you.
Comment 5 Matwey Kornilov 2017-11-21 12:41:40 UTC 
Moreover, pcre-devel is actually pulled by something else in build environment. So it is installed now. I will look how to force build use external pcre.
Comment 6 Matwey Kornilov 2017-11-21 12:55:32 UTC 
https://github.com/erlang/otp/blob/master/erts/emulator/pcre/README.pcre_update.md

It seems that Erlang bundles not vanilla PCRE version, but heavily modified.
Comment 7 Andreas Stieger 2017-11-21 13:09:50 UTC 
(In reply to Matwey Kornilov from comment #6)
> https://github.com/erlang/otp/blob/master/erts/emulator/pcre/README.
> pcre_update.md
> 
> It seems that Erlang bundles not vanilla PCRE version, but heavily modified.

Hmm, I see. Would you say that this currently prohibits using the system pcre?
If so I think can close this as RESOLVED-WONTFIX.
Comment 8 Andreas Stieger 2017-11-22 08:20:01 UTC 
pcre bundled in Erlang is modified. pcre vulnerabilities may affect erlang which need to be individually resolved. Closing as WONTFIX.