Bug#778404: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Eugen Dedu
eugen.dedu at univ-fcomte.fr
Mon Feb 23 13:16:25 UTC 2015
tag 778404 fixed-upstream
thanks
On 16/02/15 17:33, Eugen Dedu wrote:
> On 16/02/15 17:19, Moritz Muehlenhoff wrote:
>> severity 778404 minor
>> thanks
>>
>> On Sat, Feb 14, 2015 at 03:39:19PM +0100, Luciano Bello wrote:
>>> Package: ptlib
>>> Severity: important
>>> Tags: security patch
>>>
>>> The security team received a report from the CERT Coordination Center
>>> that the
>>> Henry Spencer regular expressions (regex) library contains a heap
>>> overflow
>>> vulnerability. It looks like this package includes the affected code
>>> at that's
>>> the reason of this bug report.
>>
>> The configure script picks the glibc regex code, so this doesn't affect
>> the Debian binary packages.
>
> Thank you for the analysis.
>
>> It would still be useful to report this upstream, so that they update
>> the local regex code (it could be that the local one is used when
>> building with a libc other than glibc)
>
> I will do it, I have commit access.
I have committed the patch upstream, thank you:
https://sourceforge.net/p/opalvoip/code/33381/
and
https://sourceforge.net/p/opalvoip/code/33382/
Shouldn't we close this bug in debian?
--
Eugen
More information about the Pkg-voip-maintainers
mailing list