Hi, On Sat, Feb 14, 2015 at 03:35:42PM +0100, Luciano Bello wrote: > Package: yap > Severity: important > Tags: security patch > > The security team received a report from the CERT Coordination Center that > the > Henry Spencer regular expressions (regex) library contains a heap overflow > vulnerability. It looks like this package includes the affected code at > that's > the reason of this bug report. > > The patch is available here: > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c > > Please, can you confirm if the binary packages are affected? Are stable and > testing affected?
thanks for your bug report. yap has indeed an embedded code copy of that library, but apparently in an older version than the one used as basis for the patch. Anyway, line 290 of file library/regex/regcomp.c seems to be the location corresponding to line 210 in the patch. So yes, it applies, both to sid and jessie (same version of yap). The version in wheezy (5.1.3-6) is also concerned. I have to admit that my C is a bit rusty, so I cannot verify myself that the C pointer gymnastics in the patch is correct. Please do (Luciano, or someone else from the security team) send me a *signed* email to confirm that the patch is OK, and I will upload a fixed version to sid. Does this justify a freeze exception ? Is the security team taking care of the stable version, or otherwise how should I proceed ? Cheers -Ralf. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
