unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [peter@more-magic.net: Irregex packages should be updated to 0.9.6]
@ 2016-12-16 19:33 Leo Famulari
  2016-12-16 19:36 ` Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Leo Famulari
  0 siblings, 1 reply; 14+ messages in thread
From: Leo Famulari @ 2016-12-16 19:33 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1919 bytes --]

With Peter's permission, I'm forwarding this message from guix-security
to guix-devel.

We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
but our chez-irregex and chicken packages are still vulnerable.

Note the updated discussion on the chez-irregex bug tracker:

https://github.com/fedeinthemix/chez-irregex/issues/1

----- Forwarded message from Peter Bex <peter@more-magic.net> -----

Date: Thu, 15 Dec 2016 20:40:00 +0100
From: Peter Bex <peter@more-magic.net>
To: guix-security@gnu.org
Subject: Irregex packages should be updated to 0.9.6
User-Agent: Mutt/1.5.23 (2014-03-12)

Hello there,

I'm not a Guix user, but I noticed that Guix has several repackaged
versions of the "irregex" portable regular expression engine for Scheme.
I'm a co-maintainer of the upstream package and I'd like to point out
a vulnerability we've found in it, CVE-2016-9954.

See the announcement at
http://www.openwall.com/lists/oss-security/2016/12/14/18
and the CHICKEN Scheme announcement at
http://lists.gnu.org/archive/html/chicken-announce/2016-12/msg00000.html
(currently no released version has a fix for this issue)

The specific Irregex packages in question are:

- chicken.  See above.  It will be fixed in 4.12, once it is released.
- chez-irregex.  I reported the issue for this port as
   https://github.com/fedeinthemix/chez-irregex/issues/1
- guile-irregex.  I couldn't find a repository for this package, so
   I'm assuming this is a direct packaging of the portable upstream code
   from irregex itself.  The tarball published on the author's site has
   now also been updated to 0.9.6.

Especially the guile-irregex package could be an important one if Guix
itself makes use of irregex for processing user-provided regexes,
because it can eat up all available memory if left unrestricted.

Cheers,
Peter Bex



----- End forwarded message -----

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2017-01-03 13:36 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-16 19:33 [peter@more-magic.net: Irregex packages should be updated to 0.9.6] Leo Famulari
2016-12-16 19:36 ` Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Leo Famulari
2016-12-22 19:20   ` Kei Kebreau
2016-12-24  6:32     ` Leo Famulari
2016-12-24 19:23       ` Kei Kebreau
2016-12-24 21:04         ` Leo Famulari
2016-12-25  1:59           ` Kei Kebreau
2016-12-25  5:38             ` Kei Kebreau
2016-12-29  2:07               ` Kei Kebreau
2017-01-01 22:18             ` Leo Famulari
2017-01-02  4:04               ` Kei Kebreau
2017-01-03  5:21                 ` Leo Famulari
2017-01-03 13:36                   ` Kei Kebreau
2017-01-02  4:07               ` Kei Kebreau

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).