Hi Luciano Thanks for reporting and sorry for not answering until today.
It does not look like it is a real issue for vnc after some analysis. >From what I can see in the source code (used grep to find all occurrences) it looks like regcomp is only used when parsing the x server configuration file to see what modules to load. This means that the person having the power to edit the configuration file can potentially inject code that gives permission of the person starting the x server (vnc server in this case). The reason why this is not seen as an issue is that the configuration file is typically owned by root or the person executing the x/vnc server program. Root can typically do anything anyway, and the person starting the x/vnc server already have the permissions for its own user. There could be really rare cases when some unprivileged user create a configuration file and then someone else use that configuration file to start the vnc server, but in that case the configuration file have to be pointed out explicitly and I see that as a really long shot. Based on this I'll close this bug. Thanks. If you object, please let me know. // Ola On Sat, Feb 14, 2015 at 3:36 PM, Luciano Bello <luci...@debian.org> wrote: > Package: vnc4 > Severity: important > Tags: security patch > > The security team received a report from the CERT Coordination Center that > the > Henry Spencer regular expressions (regex) library contains a heap overflow > vulnerability. It looks like this package includes the affected code at > that's > the reason of this bug report. > > The patch is available here: > > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c > > Please, can you confirm if the binary packages are affected? Are stable and > testing affected? > > More information, here: > http://www.kb.cert.org/vuls/id/695940 > > https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ > > A CVE id has been requested already and the report will be updated with it > eventually. > > Cheers, luciano > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Annebergsslingan 37 \ | o...@debian.org 654 65 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
