* Florian Weimer: > * Florian Weimer: > >> * Niko Tyni: >> >>>> I'm unsure about the security implications. Will ask for opinions on p5p. >>>> Cc'ing the security team to get them in the loop. >>> >>> No response from either in two weeks, so it seems that nobody is >>> particularly concerned. >> >> It's potentially security-relevant if it can be exploited by >> UTF-8-decoding some input within the script. > > Sorry, forget that, different bug.
Okay, next opinion, after actually investigating the bug (not so much "different bug", but "wrong impression after seeing the uuencode blob"): This bug also happens with if (/^\Q$ans\E| \Q$ans\E/) { print "I was wrong, sorry...\n"} (the recommended method of including untrusted input in regular expressions). As a result, I fear that it opens a DoS vector in quite a few services. How much testing has this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=26;filename=27_fix_regcomp_utf8;att=1;bug=454792 received? Are there any other issues we should bundle with an update? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]