On Mon, Feb 16, 2015 at 07:37:19PM +0100, Moritz Mühlenhoff wrote: > On Sat, Feb 14, 2015 at 03:41:21PM +0100, Luciano Bello wrote: > > The security team received a report from the CERT Coordination Center that > > the > > Henry Spencer regular expressions (regex) library contains a heap overflow > > vulnerability. It looks like this package includes the affected code at > > that's > > the reason of this bug report. > > > > The patch is available here: > > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c > > Building with "--disable-re" should fix this.
Regrettably not in this case: nvi uses the BSD-specific REG_NOSPEC flag, so it doesn't build with glibc's regex library. I'm just applying the patch instead. -- Colin Watson [cjwat...@debian.org]