Hi I have not tried to reproduce this myself so I'm not sure.
I suggest you also check the source code to see if the vulnerability is there but just some slightly different data. If you are sure wheezy is not vulnerable then we can mark wheezy as not affected by this CVE. Best regards // Ola On 22 March 2017 at 12:00, Sergei Golovan <sgolo...@nes.ru> wrote: > Hi Ola, > > On Tue, Mar 21, 2017 at 10:27 PM, Ola Lundqvist <o...@inguza.com> wrote: > > Hi > > > > Great. Let us know when you have a package prepared (pachage and debdiff > for > > us to check) so we can coordinate the upload with issuing the DLA. > > On the other hand, are you sure that erlang 1:15.b.1-dfsg-4+deb7u1 (which > is > in wheezy currently) is actually vulnerable? I've tried to compile the > regular > expression which crashes the modern Erlang interpreter (taken from > https://vcs.pcre.org/pcre/code/trunk/testdata/testoutput2?r1=1540&r2=1542&; > pathrev=1542) > and it works fine: > > $ erl > Erlang R15B01 (erts-5.9.1) [source] [64-bit] [smp:8:8] > [async-threads:0] [kernel-poll:false] > > Eshell V5.9.1 (abort with ^G) > 1> re:compile("(?<=((?2))((?1)))"). > {error,{"lookbehind assertion is not fixed length",16}} > 2> > > Are there any additional test data to try? > > Cheers! > -- > Sergei Golovan > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
