[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
address@hidden: Irregex packages should be updated to 0.9.6]
From: |
Leo Famulari |
Subject: |
address@hidden: Irregex packages should be updated to 0.9.6] |
Date: |
Fri, 16 Dec 2016 14:33:19 -0500 |
User-agent: |
Mutt/1.7.1 (2016-10-04) |
With Peter's permission, I'm forwarding this message from guix-security
to guix-devel.
We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
but our chez-irregex and chicken packages are still vulnerable.
Note the updated discussion on the chez-irregex bug tracker:
https://github.com/fedeinthemix/chez-irregex/issues/1
----- Forwarded message from Peter Bex <address@hidden> -----
Date: Thu, 15 Dec 2016 20:40:00 +0100
From: Peter Bex <address@hidden>
To: address@hidden
Subject: Irregex packages should be updated to 0.9.6
User-Agent: Mutt/1.5.23 (2014-03-12)
Hello there,
I'm not a Guix user, but I noticed that Guix has several repackaged
versions of the "irregex" portable regular expression engine for Scheme.
I'm a co-maintainer of the upstream package and I'd like to point out
a vulnerability we've found in it, CVE-2016-9954.
See the announcement at
http://www.openwall.com/lists/oss-security/2016/12/14/18
and the CHICKEN Scheme announcement at
http://lists.gnu.org/archive/html/chicken-announce/2016-12/msg00000.html
(currently no released version has a fix for this issue)
The specific Irregex packages in question are:
- chicken. See above. It will be fixed in 4.12, once it is released.
- chez-irregex. I reported the issue for this port as
https://github.com/fedeinthemix/chez-irregex/issues/1
- guile-irregex. I couldn't find a repository for this package, so
I'm assuming this is a direct packaging of the portable upstream code
from irregex itself. The tarball published on the author's site has
now also been updated to 0.9.6.
Especially the guile-irregex package could be an important one if Guix
itself makes use of irregex for processing user-provided regexes,
because it can eat up all available memory if left unrestricted.
Cheers,
Peter Bex
----- End forwarded message -----
signature.asc
Description: PGP signature
- address@hidden: Irregex packages should be updated to 0.9.6],
Leo Famulari <=
- Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Leo Famulari, 2016/12/16
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/22
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Leo Famulari, 2016/12/24
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/24
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Leo Famulari, 2016/12/24
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/24
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/25
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/28