Spencer regexp heap overflow?

[Alistair Crooks <agc () pkgsrc org>]

Hi,

We were contacted in retrospect by a researcher about this blog entry
he'd written and published:

        
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

and I haven't seen anything flying across this list, so I thought I'd
bring it to people's attention here.

There's a fix in NetBSD HEAD for this, and it will flow out to the
release branches in due course.

I have to admit we're having a hard time trying to think of a service
that exposes regcomp(3) over the internet - there's a reason that
Google did re2 for Google code, after all - but I may well be missing
something...

Regards,
Alistair

NetBSD/pkgsrc security