Package: vfu
Severity: grave
Tags: security
Justification: user security hole
vfu embeds a copy of pcre. There's been a recent security update for
pcre (DSA-1399). (I'm not sure if vfu's pcre processes untrusted regexps
or if it's all user-controlled. In that case it's not a security problem,
but should still be fixed for cleanliness):
You should fix the vfu package to link against a shared library version
of PCRE.
(The packaging also appears a bit messy, e.g. the old binaries in the
source package:
drwxr-xr-x 2 jmm jmm 4.0K Jun 5 2005 .OBJ.libvscon.a
drwxr-xr-x 2 jmm jmm 4.0K Jun 5 2005 .OBJ.libvslib.a
drwxr-xr-x 2 jmm jmm 4.0K Jun 5 2005 .OBJ.test )
Cheers,
Moritz
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-2-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
