[Pkg-clamav-devel] Bug#778406: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Sun Feb 15 22:43:46 UTC 2015


Hi Sebastian,

On 14.02.2015 22:28, Sebastian Andrzej Siewior wrote:
> All in all I would say not very applicable and no need for immediate action.
> If you or anyone else feels different please let me now. I prepared this
> patch [0]. It is the one you pointed out applied on the clamav tree with
> minory changes to get it applied.
>
> I will however forward this report to clamav upstream including the patch since
> it is probably best to include it in future anyway.

I think a fix for wheezy can wait for the next upstream release.

> [0] https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/commit/?id=a2344cea2a22089ff0bac16c16e060ebb06425b0

This patch misses the declaration of the maxlen variable.

Best regards,
Andreas



More information about the Pkg-clamav-devel mailing list