On Sat, Nov 05, 2011 at 11:34:08AM +0100, Otto Moerbeek wrote:
> Op 5 nov. 2011 om 00:46 heeft Ted Unangst <t...@tedunangst.com> het volgende
> geschreven:
>
> > On Fri, Nov 04, 2011, Johan Ryberg wrote:
> >> Hi
> >>
> >> Just read this: http://securityreason.com/achievement_securityalert/102
> >>
> >> Claiming that OpenBSD 5.0 is affected
> >>
> >> Is it?
> >
> > "Red Hat does not consider crash of client application, using regcomp()
> > or regexec() routines on untrusted input without preliminary checking
> > the input for the sanity, to be a security issue."
> >
> > I am, to some extent, inclined to agree. glob() has similar problems
> > which have been fixed because it's frequently used with naughty inputs.
> > regcomp() is different, I think. libc is really not the right layer to
> > be doing input validation.
> >
> > This is a bug in proftpd more than anything else IMO.
>
> Yes, although there definitely could be made some improvements to the way out
> of memory conditions are handled. The use of assert here is ugly. There are
> also some expressions that could overflow. I need to find some time to dig
> into these.
>
> -Otto
Followup on tech@
-Otto
