On 2/14/15 6:38 AM, Luciano Bello wrote: > Package: radare2 > Severity: important > Tags: security patch > > The security team received a report from the CERT Coordination Center that > the > Henry Spencer regular expressions (regex) library contains a heap overflow > vulnerability. It looks like this package includes the affected code at > that's > the reason of this bug report. > > The patch is available here: > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c > > Please, can you confirm if the binary packages are affected? Are stable and > testing affected? > > More information, here: > http://www.kb.cert.org/vuls/id/695940 > https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ > > A CVE id has been requested already and the report will be updated with it > eventually.
Hello, I can't tell you explicitly that radare2 is not affected, given that I haven't found a good proof of concept. What I can do it to prepare fixed packages for jessie/unstable and potentially stable. I'll follow up when I have something to show. Ender.
signature.asc
Description: OpenPGP digital signature