With Peter's permission, I'm forwarding this message from guix-security
to guix-devel.

We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
but our chez-irregex and chicken packages are still vulnerable.

Note the updated discussion on the chez-irregex bug tracker:

https://github.com/fedeinthemix/chez-irregex/issues/1

----- Forwarded message from Peter Bex <peter@more-magic.net> -----

Date: Thu, 15 Dec 2016 20:40:00 +0100
From: Peter Bex <peter@more-magic.net>
To: guix-security@gnu.org
Subject: Irregex packages should be updated to 0.9.6
User-Agent: Mutt/1.5.23 (2014-03-12)

Hello there,

I'm not a Guix user, but I noticed that Guix has several repackaged
versions of the "irregex" portable regular expression engine for Scheme.
I'm a co-maintainer of the upstream package and I'd like to point out
a vulnerability we've found in it, CVE-2016-9954.

See the announcement at
http://www.openwall.com/lists/oss-security/2016/12/14/18
and the CHICKEN Scheme announcement at
http://lists.gnu.org/archive/html/chicken-announce/2016-12/msg00000.html
(currently no released version has a fix for this issue)

The specific Irregex packages in question are:

- chicken.  See above.  It will be fixed in 4.12, once it is released.
- chez-irregex.  I reported the issue for this port as
   https://github.com/fedeinthemix/chez-irregex/issues/1
- guile-irregex.  I couldn't find a repository for this package, so
   I'm assuming this is a direct packaging of the portable upstream code
   from irregex itself.  The tarball published on the author's site has
   now also been updated to 0.9.6.

Especially the guile-irregex package could be an important one if Guix
itself makes use of irregex for processing user-provided regexes,
because it can eat up all available memory if left unrestricted.

Cheers,
Peter Bex



----- End forwarded message -----