Hi Luciano, I can confirm that the problem affects testing and unstable. The package is not in stable. I have commited a patch in SVN:
https://anonscm.debian.org/viewvc/debian-med/trunk/packages/rcsb-core-wrapper/trunk/debian/patches/regcomp_cert_fix.patch?view=markup Upstream is in CC of this mail so I'll set "Forwarded:" to the patch. I can upload in less than 24 hours if you acknowledge. Kind regards Andreas. On Sat, Feb 14, 2015 at 03:29:37PM +0100, Luciano Bello wrote: > Package: librcsb-core-wrapper > Severity: important > Tags: security patch > > The security team received a report from the CERT Coordination Center that > the > Henry Spencer regular expressions (regex) library contains a heap overflow > vulnerability. It looks like this package includes the affected code at > that's > the reason of this bug report. > > The patch is available here: > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c > > Please, can you confirm if the binary packages are affected? Are stable and > testing affected? > > More information, here: > http://www.kb.cert.org/vuls/id/695940 > https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ > > A CVE id has been requested already and the report will be updated with it > eventually. > > Cheers, luciano > > _______________________________________________ > Debian-med-packaging mailing list > debian-med-packag...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-med-packaging > -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
