Hi Sergey Thank you. I'm convinced. I have now marked wheezy as not affected by CVE-2016-10253.
Best regards // Ola On 22 March 2017 at 13:23, Sergei Golovan <sgolo...@nes.ru> wrote: > Hi Ola, > > On Wed, Mar 22, 2017 at 2:55 PM, Ola Lundqvist <o...@inguza.com> wrote: > > Hi > > > > I have not tried to reproduce this myself so I'm not sure. > > > > I suggest you also check the source code to see if the vulnerability is > > there but just some slightly different data. > > That's where I've started, and found that Erlang in wheezy uses pretty old > libpcre (version 7.6), and its sources are very different from the 8.33 > in sid. So, I've tried to find the offending regexp, and seems to find one > in PCRE sources (as one of the tests). It works fine in wheezy. > > > > > If you are sure wheezy is not vulnerable then we can mark wheezy as not > > affected by this CVE. > > I still can't reliably tell if the regexp I've found is the one which is > tied to > CVE-2006-10253. Or it's another crash in PCRE in Erlang. > > There are 4 pull requests which claim to fix some overflows (see > https://bugs.erlang.org/browse/ERL-208 for the list). The one explicitly > marked as fixing CVE-2006-10253 (https://github.com/erlang/otp/pull/1384) > doesn't fix the crash with my regexp. Another patch > (https://github.com/erlang/otp/pull/1108/files) > does fix the crash. Also, CVE itself contains a link to the last patch, so > probably that's it. In this case wheezy isn't vulnerable (backport is, I'll > deal with it later). > > Cheers! > -- > Sergei Golovan > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
