Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20150207213939.GA23823@nef.pbox.org>
Date: Sat, 7 Feb 2015 22:39:39 +0100
From: Alistair Crooks <agc@...src.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Spencer regexp heap overflow?

Hi,

We were contacted in retrospect by a researcher about this blog entry
he'd written and published:

	https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

and I haven't seen anything flying across this list, so I thought I'd
bring it to people's attention here.

There's a fix in NetBSD HEAD for this, and it will flow out to the
release branches in due course.

I have to admit we're having a hard time trying to think of a service
that exposes regcomp(3) over the internet - there's a reason that
Google did re2 for Google code, after all - but I may well be missing
something...

Regards,
Alistair

NetBSD/pkgsrc security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.