[pkg-xtuple-maintainers] Bug#778398: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Daniel Pocock daniel at pocock.pro
Sat Feb 14 14:59:25 UTC 2015

Thanks for reporting this.  I'm not able to look at the issue this weekend.

Can you please let me know if it has been reported upstream or if you
have a moment could you file the report in the upstream bug tracker at
http://www.xtuple.org ?

I don't believe the package is in stable, but it is in testing and backports

On 14/02/15 15:30, Luciano Bello wrote:
> Package: openrpt
> Severity: important
> Tags: security patch
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.
> The patch is available here:
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
> Please, can you confirm if the binary packages are affected? Are stable and 
> testing affected?
> More information, here:
> http://www.kb.cert.org/vuls/id/695940
> https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
> A CVE id has been requested already and the report will be updated with it 
> eventually.
> Cheers, luciano
> _______________________________________________
> pkg-xtuple-maintainers mailing list
> pkg-xtuple-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-xtuple-maintainers

More information about the pkg-xtuple-maintainers mailing list