[Pkg-erlang-devel] Wheezy update of erlang?

Ola Lundqvist ola at inguza.com
Wed Mar 22 11:55:25 UTC 2017


Hi

I have not tried to reproduce this myself so I'm not sure.

I suggest you also check the source code to see if the vulnerability is
there but just some slightly different data.

If you are sure wheezy is not vulnerable then we can mark wheezy as not
affected by this CVE.

Best regards

// Ola

On 22 March 2017 at 12:00, Sergei Golovan <sgolovan at nes.ru> wrote:

> Hi Ola,
>
> On Tue, Mar 21, 2017 at 10:27 PM, Ola Lundqvist <ola at inguza.com> wrote:
> > Hi
> >
> > Great. Let us know when you have a package prepared (pachage and debdiff
> for
> > us to check) so we can coordinate the upload with issuing the DLA.
>
> On the other hand, are you sure that erlang 1:15.b.1-dfsg-4+deb7u1 (which
> is
> in wheezy currently) is actually vulnerable? I've tried to compile the
> regular
> expression which crashes the modern Erlang interpreter (taken from
> https://vcs.pcre.org/pcre/code/trunk/testdata/testoutput2?r1=1540&r2=1542&
> pathrev=1542)
> and it works fine:
>
> $ erl
> Erlang R15B01 (erts-5.9.1) [source] [64-bit] [smp:8:8]
> [async-threads:0] [kernel-poll:false]
>
> Eshell V5.9.1  (abort with ^G)
> 1> re:compile("(?<=((?2))((?1)))").
> {error,{"lookbehind assertion is not fixed length",16}}
> 2>
>
>  Are there any additional test data to try?
>
> Cheers!
> --
> Sergei Golovan
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Folkebogatan 26            \
|  opal at debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-erlang-devel/attachments/20170322/be5d48aa/attachment-0001.html>


More information about the Pkg-erlang-devel mailing list