From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]
Date: Fri, 16 Dec 2016 14:33:19 -0500 [thread overview]
Message-ID: <20161216193319.GA12690@jasmine> (raw)
[-- Attachment #1: Type: text/plain, Size: 1919 bytes --]
With Peter's permission, I'm forwarding this message from guix-security
to guix-devel.
We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
but our chez-irregex and chicken packages are still vulnerable.
Note the updated discussion on the chez-irregex bug tracker:
https://github.com/fedeinthemix/chez-irregex/issues/1
----- Forwarded message from Peter Bex <peter@more-magic.net> -----
Date: Thu, 15 Dec 2016 20:40:00 +0100
From: Peter Bex <peter@more-magic.net>
To: guix-security@gnu.org
Subject: Irregex packages should be updated to 0.9.6
User-Agent: Mutt/1.5.23 (2014-03-12)
Hello there,
I'm not a Guix user, but I noticed that Guix has several repackaged
versions of the "irregex" portable regular expression engine for Scheme.
I'm a co-maintainer of the upstream package and I'd like to point out
a vulnerability we've found in it, CVE-2016-9954.
See the announcement at
http://www.openwall.com/lists/oss-security/2016/12/14/18
and the CHICKEN Scheme announcement at
http://lists.gnu.org/archive/html/chicken-announce/2016-12/msg00000.html
(currently no released version has a fix for this issue)
The specific Irregex packages in question are:
- chicken. See above. It will be fixed in 4.12, once it is released.
- chez-irregex. I reported the issue for this port as
https://github.com/fedeinthemix/chez-irregex/issues/1
- guile-irregex. I couldn't find a repository for this package, so
I'm assuming this is a direct packaging of the portable upstream code
from irregex itself. The tarball published on the author's site has
now also been updated to 0.9.6.
Especially the guile-irregex package could be an important one if Guix
itself makes use of irregex for processing user-provided regexes,
because it can eat up all available memory if left unrestricted.
Cheers,
Peter Bex
----- End forwarded message -----
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2016-12-16 19:33 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 19:33 Leo Famulari [this message]
2016-12-16 19:36 ` Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Leo Famulari
2016-12-22 19:20 ` Kei Kebreau
2016-12-24 6:32 ` Leo Famulari
2016-12-24 19:23 ` Kei Kebreau
2016-12-24 21:04 ` Leo Famulari
2016-12-25 1:59 ` Kei Kebreau
2016-12-25 5:38 ` Kei Kebreau
2016-12-29 2:07 ` Kei Kebreau
2017-01-01 22:18 ` Leo Famulari
2017-01-02 4:04 ` Kei Kebreau
2017-01-03 5:21 ` Leo Famulari
2017-01-03 13:36 ` Kei Kebreau
2017-01-02 4:07 ` Kei Kebreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161216193319.GA12690@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).