Your message dated Wed, 25 Feb 2015 11:58:15 +0100
with message-id <[email protected]>
and subject line Re: Bug#778404: Henry Spencer regular expressions (regex)
library contains a heap overflow vulnerability
has caused the Debian Bug report #778404,
regarding Henry Spencer regular expressions (regex) library contains a heap
overflow vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778404: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778404
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ptlib
Severity: important
Tags: security patch
The security team received a report from the CERT Coordination Center that the
Henry Spencer regular expressions (regex) library contains a heap overflow
vulnerability. It looks like this package includes the affected code at that's
the reason of this bug report.
The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
Please, can you confirm if the binary packages are affected? Are stable and
testing affected?
More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
A CVE id has been requested already and the report will be updated with it
eventually.
Cheers, luciano
--- End Message ---
--- Begin Message ---
On 24/02/15 16:42, Moritz Muehlenhoff wrote:
On Mon, Feb 23, 2015 at 02:16:25PM +0100, Eugen Dedu wrote:
tag 778404 fixed-upstream
thanks
On 16/02/15 17:33, Eugen Dedu wrote:
On 16/02/15 17:19, Moritz Muehlenhoff wrote:
severity 778404 minor
thanks
On Sat, Feb 14, 2015 at 03:39:19PM +0100, Luciano Bello wrote:
Package: ptlib
Severity: important
Tags: security patch
The security team received a report from the CERT Coordination Center
that the
Henry Spencer regular expressions (regex) library contains a heap
overflow
vulnerability. It looks like this package includes the affected code
at that's
the reason of this bug report.
The configure script picks the glibc regex code, so this doesn't affect
the Debian binary packages.
Thank you for the analysis.
It would still be useful to report this upstream, so that they update
the local regex code (it could be that the local one is used when
building with a libc other than glibc)
I will do it, I have commit access.
I have committed the patch upstream, thank you:
https://sourceforge.net/p/opalvoip/code/33381/
and
https://sourceforge.net/p/opalvoip/code/33382/
Shouldn't we close this bug in debian?
You can either close it rightway and once the new upstream release
with above changes hits unstable.
Closing then.
--
Eugen
--- End Message ---
