Bug#778404: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Moritz Muehlenhoff jmm at inutil.org
Tue Feb 24 15:42:17 UTC 2015


On Mon, Feb 23, 2015 at 02:16:25PM +0100, Eugen Dedu wrote:
> tag 778404 fixed-upstream
> thanks
> 
> On 16/02/15 17:33, Eugen Dedu wrote:
> >On 16/02/15 17:19, Moritz Muehlenhoff wrote:
> >>severity 778404 minor
> >>thanks
> >>
> >>On Sat, Feb 14, 2015 at 03:39:19PM +0100, Luciano Bello wrote:
> >>>Package: ptlib
> >>>Severity: important
> >>>Tags: security patch
> >>>
> >>>The security team received a report from the CERT Coordination Center
> >>>that the
> >>>Henry Spencer regular expressions (regex) library contains a heap
> >>>overflow
> >>>vulnerability. It looks like this package includes the affected code
> >>>at that's
> >>>the reason of this bug report.
> >>
> >>The configure script picks the glibc regex code, so this doesn't affect
> >>the Debian binary packages.
> >
> >Thank you for the analysis.
> >
> >>It would still be useful to report this upstream, so that they update
> >>the local regex code (it could be that the local one is used when
> >>building with a libc other than glibc)
> >
> >I will do it, I have commit access.
> 
> I have committed the patch upstream, thank you:
> 
> https://sourceforge.net/p/opalvoip/code/33381/
> and
> https://sourceforge.net/p/opalvoip/code/33382/
> 
> Shouldn't we close this bug in debian?

You can either close it rightway and once the new upstream release
with above changes hits unstable.

Cheers,
        Moritz



More information about the Pkg-voip-maintainers mailing list