Your message dated Sat, 14 Feb 2015 16:13:38 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-haskell-maintainers] Bug#778395: Henry Spencer
regular expressions (regex) library contains a heap overflow vulnerability
has caused the Debian Bug report #778395,
regarding Henry Spencer regular expressions (regex) library contains a heap
overflow vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778395: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778395
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: haskell-regex-posix
Severity: important
Tags: security patch
The security team received a report from the CERT Coordination Center that the
Henry Spencer regular expressions (regex) library contains a heap overflow
vulnerability. It looks like this package includes the affected code at that's
the reason of this bug report.
The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
Please, can you confirm if the binary packages are affected? Are stable and
testing affected?
More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
A CVE id has been requested already and the report will be updated with it
eventually.
Cheers, luciano
--- End Message ---
--- Begin Message ---
Dear Luciano,
Am Samstag, den 14.02.2015, 15:28 +0100 schrieb Luciano Bello:
> The security team received a report from the CERT Coordination Center that
> the
> Henry Spencer regular expressions (regex) library contains a heap overflow
> vulnerability. It looks like this package includes the affected code at
> that's
> the reason of this bug report.
>
> The patch is available here:
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
>
> Please, can you confirm if the binary packages are affected? Are stable and
> testing affected?
Thanks for the report. I believe that haskell-regex-posix is not
affected: It ships C code with the vulnerable file, but uses that only
when building on windows. On Linux, the system "regex.h" is used.
Greetings,
Joachim
--
Joachim "nomeata" Breitner
Debian Developer
[email protected] | ICQ# 74513189 | GPG-Keyid: F0FBF51F
JID: [email protected] | http://people.debian.org/~nomeata
signature.asc
Description: This is a digitally signed message part
--- End Message ---