Bug#778412: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
On Mon, Feb 16, 2015 at 07:37:19PM +0100, Moritz Mühlenhoff wrote: > On Sat, Feb 14, 2015 at 03:41:21PM +0100, Luciano Bello wrote: > > The security team received a report from the CERT Coordination Center that > > the > > Henry Spencer regular expressions (regex) library contains a heap overflow > > vulnerability. It looks like this package includes the affected code at > > that's > > the reason of this bug report. > > > > The patch is available here: > > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c > > Building with "--disable-re" should fix this. Regrettably not in this case: nvi uses the BSD-specific REG_NOSPEC flag, so it doesn't build with glibc's regex library. I'm just applying the patch instead. -- Colin Watson [cjwat...@debian.org]
Bug#778412: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
On Sat, Feb 14, 2015 at 03:41:21PM +0100, Luciano Bello wrote: > Package: nvi > Severity: important > Tags: security patch > > The security team received a report from the CERT Coordination Center that > the > Henry Spencer regular expressions (regex) library contains a heap overflow > vulnerability. It looks like this package includes the affected code at > that's > the reason of this bug report. > > The patch is available here: > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c Building with "--disable-re" should fix this. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150216183718.GA3514@pisco.westfalen.local
Bug#778412: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Package: nvi Severity: important Tags: security patch The security team received a report from the CERT Coordination Center that the Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability. It looks like this package includes the affected code at that's the reason of this bug report. The patch is available here: http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c Please, can you confirm if the binary packages are affected? Are stable and testing affected? More information, here: http://www.kb.cert.org/vuls/id/695940 https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ A CVE id has been requested already and the report will be updated with it eventually. Cheers, luciano -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1944331.akNzZpf9O7@box