Bug 636390 (CVE-2016-10253)

Summary:	<dev-lang/erlang-19.1: Heap overflow (CVE-2016-10253)
Product:	Gentoo Security	Reporter:	Christopher Díaz Riveros (RETIRED) <chrisadr>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	maintainer-needed
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-03 15:30:25 UTC

CVE-2016-10253

An issue was discovered in Erlang/OTP 18.x. Erlang's generation of compiled regular expressions is vulnerable to a heap overflow. Regular expressions using a malformed extpattern can indirectly specify an offset that is used as an array index. This ordinal permits arbitrary regions within the erts_alloc arena to be both read and written to.

@Maintainers please clean 18.x.

Thank you

Comment 1 Pacho Ramos gentoo-dev

2018-02-06 08:48:32 UTC

this is maintainer-needed... hence, feel free to remove the offending versions if you want

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-03-25 20:35:01 UTC

cleaned.

GLSA Vote: No

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-03-25 21:09:04 UTC

too many revedps on 18.x that caused breakage.  re-opened until cleanup can properly occur.

Comment 4 Pacho Ramos gentoo-dev

2018-03-28 19:01:14 UTC

all should be handled (cleaned) now

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2018-03-28 19:12:37 UTC

(In reply to Pacho Ramos from comment #4)
> all should be handled (cleaned) now

Thanks, Pacho!