Bug#778412: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

To: 778412@bugs.debian.org
Subject: Bug#778412: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 16 Feb 2015 19:37:19 +0100
Message-id: <[🔎] 20150216183718.GA3514@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 778412@bugs.debian.org
In-reply-to: <[🔎] 1944331.akNzZpf9O7@box>
References: <[🔎] 1944331.akNzZpf9O7@box>

On Sat, Feb 14, 2015 at 03:41:21PM +0100, Luciano Bello wrote:
> Package: nvi
> Severity: important
> Tags: security patch
> 
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.
> 
> The patch is available here:
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Building with "--disable-re" should fix this.

Cheers,
        Moritz

Reply to:

References:
- Bug#778412: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
  - From: Luciano Bello <luciano@debian.org>

Prev by Date: Processed: Re: Bug#778418: ndisc6: fails to build on kfreebsd
Next by Date: Bug#778592: libabiword-3.0 : Depends: libical1 (>= 1.0) but it is not installable.
Previous by thread: Bug#778412: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Next by thread: Bug#778418: ndisc6: fails to build on kfreebsd
Index(es):
- Date
- Thread