* Florian Weimer:
> * Florian Weimer:
>
>> * Niko Tyni:
>>
>>>> I'm unsure about the security implications. Will ask for opinions on p5p.
>>>> Cc'ing the security team to get them in the loop.
>>>
>>> No response from either in two weeks, so it seems that nobody is
>>> particularly concerned.
>>
>> It's potentially security-relevant if it can be exploited by
>> UTF-8-decoding some input within the script.
>
> Sorry, forget that, different bug.
Okay, next opinion, after actually investigating the bug (not so much
"different bug", but "wrong impression after seeing the uuencode blob"):
This bug also happens with
if (/^\Q$ans\E| \Q$ans\E/) { print "I was wrong, sorry...\n"}
(the recommended method of including untrusted input in regular
expressions). As a result, I fear that it opens a DoS vector in quite a
few services.
How much testing has this patch:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=26;filename=27_fix_regcomp_utf8;att=1;bug=454792
received?
Are there any other issues we should bundle with an update?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
