Re: Wheezy update of erlang?

[Ola Lundqvist <ola@inguza.com>]

Hi

I have not tried to reproduce this myself so I'm not sure.

I suggest you also check the source code to see if the vulnerability is there but just some slightly different data.

If you are sure wheezy is not vulnerable then we can mark wheezy as not affected by this CVE.

Best regards

// Ola

On 22 March 2017 at 12:00, Sergei Golovan <sgolovan@nes.ru> wrote:

Hi Ola,

On Tue, Mar 21, 2017 at 10:27 PM, Ola Lundqvist <ola@inguza.com> wrote:
> Hi
>
> Great. Let us know when you have a package prepared (pachage and debdiff for
> us to check) so we can coordinate the upload with issuing the DLA.

On the other hand, are you sure that erlang 1:15.b.1-dfsg-4+deb7u1 (which is
in wheezy currently) is actually vulnerable? I've tried to compile the regular
_expression_ which crashes the modern Erlang interpreter (taken from
https://vcs.pcre.org/pcre/code/trunk/testdata/testoutput2?r1=1540&r2=1542&pathrev=1542)
and it works fine:

$ erl
Erlang R15B01 (erts-5.9.1) [source] [64-bit] [smp:8:8]
[async-threads:0] [kernel-poll:false]

Eshell V5.9.1  (abort with ^G)
1> re:compile("(?<=((?2))((?1)))").
{error,{"lookbehind assertion is not fixed length",16}}
2>

 Are there any additional test data to try?

Cheers!
--
Sergei Golovan

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------