Date: Sat, 7 Feb 2015 22:39:39 +0100 From: Alistair Crooks <agc@...src.org> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Spencer regexp heap overflow? Hi, We were contacted in retrospect by a researcher about this blog entry he'd written and published: https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ and I haven't seen anything flying across this list, so I thought I'd bring it to people's attention here. There's a fix in NetBSD HEAD for this, and it will flow out to the release branches in due course. I have to admit we're having a hard time trying to think of a service that exposes regcomp(3) over the internet - there's a reason that Google did re2 for Google code, after all - but I may well be missing something... Regards, Alistair NetBSD/pkgsrc security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.