636390 – (CVE-2016-10253) <dev-lang/erlang-19.1: Heap overflow (CVE-2016-10253)

Bug 636390 (CVE-2016-10253) - <dev-lang/erlang-19.1: Heap overflow (CVE-2016-10253)

Summary: <dev-lang/erlang-19.1: Heap overflow (CVE-2016-10253)

Status:	RESOLVED FIXED

Alias:	CVE-2016-10253

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-11-03 15:30 UTC by Christopher Díaz Riveros (RETIRED)
Modified:	2018-03-28 19:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-03 15:30:25 UTC

CVE-2016-10253

An issue was discovered in Erlang/OTP 18.x. Erlang's generation of compiled regular expressions is vulnerable to a heap overflow. Regular expressions using a malformed extpattern can indirectly specify an offset that is used as an array index. This ordinal permits arbitrary regions within the erts_alloc arena to be both read and written to.

@Maintainers please clean 18.x.

Thank you

Comment 1 Pacho Ramos gentoo-dev

2018-02-06 08:48:32 UTC

this is maintainer-needed... hence, feel free to remove the offending versions if you want

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-03-25 20:35:01 UTC

cleaned.

GLSA Vote: No

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-03-25 21:09:04 UTC

too many revedps on 18.x that caused breakage.  re-opened until cleanup can properly occur.

Comment 4 Pacho Ramos gentoo-dev

2018-03-28 19:01:14 UTC

all should be handled (cleaned) now

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2018-03-28 19:12:37 UTC

(In reply to Pacho Ramos from comment #4)
> all should be handled (cleaned) now

Thanks, Pacho!