From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [peter@more-magic.net: Irregex packages should be updated to 0.9.6] Date: Fri, 16 Dec 2016 14:33:19 -0500 Message-ID: <20161216193319.GA12690@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41789) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cHyFy-00022w-Nj for guix-devel@gnu.org; Fri, 16 Dec 2016 14:33:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cHyFu-0002es-Dq for guix-devel@gnu.org; Fri, 16 Dec 2016 14:33:26 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:46933) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cHyFu-0002eZ-8G for guix-devel@gnu.org; Fri, 16 Dec 2016 14:33:22 -0500 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 0C00A7E87F for ; Fri, 16 Dec 2016 14:33:21 -0500 (EST) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable With Peter's permission, I'm forwarding this message from guix-security to guix-devel. We fixed this bug in our guile-irregex package in commit fb73f07a0fe, but our chez-irregex and chicken packages are still vulnerable. Note the updated discussion on the chez-irregex bug tracker: https://github.com/fedeinthemix/chez-irregex/issues/1 ----- Forwarded message from Peter Bex ----- Date: Thu, 15 Dec 2016 20:40:00 +0100 =46rom: Peter Bex To: guix-security@gnu.org Subject: Irregex packages should be updated to 0.9.6 User-Agent: Mutt/1.5.23 (2014-03-12) Hello there, I'm not a Guix user, but I noticed that Guix has several repackaged versions of the "irregex" portable regular expression engine for Scheme. I'm a co-maintainer of the upstream package and I'd like to point out a vulnerability we've found in it, CVE-2016-9954. See the announcement at http://www.openwall.com/lists/oss-security/2016/12/14/18 and the CHICKEN Scheme announcement at http://lists.gnu.org/archive/html/chicken-announce/2016-12/msg00000.html (currently no released version has a fix for this issue) The specific Irregex packages in question are: - chicken. See above. It will be fixed in 4.12, once it is released. - chez-irregex. I reported the issue for this port as https://github.com/fedeinthemix/chez-irregex/issues/1 - guile-irregex. I couldn't find a repository for this package, so I'm assuming this is a direct packaging of the portable upstream code from irregex itself. The tarball published on the author's site has now also been updated to 0.9.6. Especially the guile-irregex package could be an important one if Guix itself makes use of irregex for processing user-provided regexes, because it can eat up all available memory if left unrestricted. Cheers, Peter Bex ----- End forwarded message ----- --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhUQXwACgkQJkb6MLrK fwjgVA/+K7iSysCIAHiuXTOis1D6kEhS2mwMf7sxiyEvdvNhIXop6ghW/qkLDVAh oDZoiLyyB8QY6DZ+dFJRx8PeKZAYqIs1eoPwvwzoz+vo6azNo81hkTgnAZqFd/Vy ncNfryVtPKmrvhueIhF4fy6J2rWxGw1wSNCtkrpn6G6begOFZoWxaLpFqbkBwb9s 91MbxmrA3guatYVdDZPph5t/0eMoPVJ07v0sTyes2E5dXxjuFiKfR/ExSdqoa1+T f60DU4UyyA2Ajbw8b0XVPkqptUGH5FCm1EbuGHM9XjGM6ylio0cgJebOg5nvR6pJ EGa2nDmNT75ZaCUENvnh271TB/QA8GPWOg57PHpW24I3PHXxjee+9vlc7eYmPWRv y1K7jUsJGZlUoo+EknauipTvD+bncFwJTueuCiA+nJ/URHKmRzoLnYYc5BMKt81L 5t3U+anofc33aJzZwXr7c4jA6JKn9dLBm5MKOhFCbV3GwCwHGgV1GPW3AtLYOCtI Y4WuxB9yuxs/ZSthutTYrn7bmjwOpTdvULsjwZwVOVsROevuHdlPpUGm69TySnTq JGoduSzq282q5wzZ7K1sIq64a2hMuu8PvNFu0nif8Hvlrq4VXc7ee7FRp12Ym902 75u32EaHoKvRVdkLv/0yh0zY843VlAxOC+uK5fumJXmsEHy2crg= =37wx -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--