[pkg-xtuple-maintainers] Bug#778398: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

[Daniel Pocock]

Thanks for reporting this.  I'm not able to look at the issue this weekend.

Can you please let me know if it has been reported upstream or if you
have a moment could you file the report in the upstream bug tracker at
http://www.xtuple.org ?

I don't believe the package is in stable, but it is in testing and backports



On 14/02/15 15:30, Luciano Bello wrote:
> Package: openrpt
> Severity: important
> Tags: security patch
>
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.
>
> The patch is available here:
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
>
> Please, can you confirm if the binary packages are affected? Are stable and 
> testing affected?
>
> More information, here:
> http://www.kb.cert.org/vuls/id/695940
> https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
>
> A CVE id has been requested already and the report will be updated with it 
> eventually.
>
> Cheers, luciano
>
> _______________________________________________
> pkg-xtuple-maintainers mailing list
> pkg-xtuple-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-xtuple-maintainers