CVE-2022-23901: A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc. Patches in 3.0: https://github.com/skvadrik/re2c/commit/a3473fd7be829cb33907cb08612f955133c70a96 https://github.com/skvadrik/re2c/commit/039c18949190c5de5397eba504d2c75dad2ea9ca
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2aa8ccd3c1522c88386de4904d4bf77fcafb0d8 commit a2aa8ccd3c1522c88386de4904d4bf77fcafb0d8 Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-01-07 00:35:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-20 13:27:19 +0000 dev-util/re2c: add 3.1, security bump [sam: Add explicit --enable-rust like for Go. It's already on by default though.] Bug: https://bugs.gentoo.org/836372 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/34681 Signed-off-by: Sam James <sam@gentoo.org> dev-util/re2c/Manifest | 1 + dev-util/re2c/re2c-3.1.ebuild | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+)
Someone else submitted an earlier PR but a missing tag made it go unnoticed. :(
