On Fri, Nov 04, 2011, Johan Ryberg wrote: > Hi > > Just read this: http://securityreason.com/achievement_securityalert/102 > > Claiming that OpenBSD 5.0 is affected > > Is it?
"Red Hat does not consider crash of client application, using regcomp() or regexec() routines on untrusted input without preliminary checking the input for the sanity, to be a security issue." I am, to some extent, inclined to agree. glob() has similar problems which have been fixed because it's frequently used with naughty inputs. regcomp() is different, I think. libc is really not the right layer to be doing input validation. This is a bug in proftpd more than anything else IMO.
