[Pkg-erlang-devel] Wheezy update of erlang?

Ola Lundqvist ola at inguza.com
Wed Mar 22 18:41:15 UTC 2017


Hi Sergey

Thank you. I'm convinced. I have now marked wheezy as not affected by
CVE-2016-10253.

Best regards

// Ola


On 22 March 2017 at 13:23, Sergei Golovan <sgolovan at nes.ru> wrote:

> Hi Ola,
>
> On Wed, Mar 22, 2017 at 2:55 PM, Ola Lundqvist <ola at inguza.com> wrote:
> > Hi
> >
> > I have not tried to reproduce this myself so I'm not sure.
> >
> > I suggest you also check the source code to see if the vulnerability is
> > there but just some slightly different data.
>
> That's where I've started, and found that Erlang in wheezy uses pretty old
> libpcre (version 7.6), and its sources are very different from the 8.33
> in sid. So, I've tried to find the offending regexp, and seems to find one
> in PCRE sources (as one of the tests). It works fine in wheezy.
>
> >
> > If you are sure wheezy is not vulnerable then we can mark wheezy as not
> > affected by this CVE.
>
> I still can't reliably tell if the regexp I've found is the one which is
> tied to
> CVE-2006-10253. Or it's another crash in PCRE in Erlang.
>
> There are 4 pull requests which claim to fix some overflows (see
> https://bugs.erlang.org/browse/ERL-208 for the list). The one explicitly
> marked as fixing CVE-2006-10253 (https://github.com/erlang/otp/pull/1384)
> doesn't fix the crash with my regexp. Another patch
> (https://github.com/erlang/otp/pull/1108/files)
> does fix the crash. Also, CVE itself contains a link to the last patch, so
> probably that's it. In this case wheezy isn't vulnerable (backport is, I'll
> deal with it later).
>
> Cheers!
> --
> Sergei Golovan
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Folkebogatan 26            \
|  opal at debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-erlang-devel/attachments/20170322/00c3a8f8/attachment-0001.html>


More information about the Pkg-erlang-devel mailing list