[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of erlang?

Hi Sergey

Thank you. I'm convinced. I have now marked wheezy as not affected by CVE-2016-10253.

Best regards

// Ola

On 22 March 2017 at 13:23, Sergei Golovan <sgolovan@nes.ru> wrote:
Hi Ola,

On Wed, Mar 22, 2017 at 2:55 PM, Ola Lundqvist <ola@inguza.com> wrote:
> Hi
> I have not tried to reproduce this myself so I'm not sure.
> I suggest you also check the source code to see if the vulnerability is
> there but just some slightly different data.

That's where I've started, and found that Erlang in wheezy uses pretty old
libpcre (version 7.6), and its sources are very different from the 8.33
in sid. So, I've tried to find the offending regexp, and seems to find one
in PCRE sources (as one of the tests). It works fine in wheezy.

> If you are sure wheezy is not vulnerable then we can mark wheezy as not
> affected by this CVE.

I still can't reliably tell if the regexp I've found is the one which is tied to
CVE-2006-10253. Or it's another crash in PCRE in Erlang.

There are 4 pull requests which claim to fix some overflows (see
https://bugs.erlang.org/browse/ERL-208 for the list). The one explicitly
marked as fixing CVE-2006-10253 (https://github.com/erlang/otp/pull/1384)
doesn't fix the crash with my regexp. Another patch
does fix the crash. Also, CVE itself contains a link to the last patch, so
probably that's it. In this case wheezy isn't vulnerable (backport is, I'll
deal with it later).

Sergei Golovan

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: