Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636390 (CVE-2016-10253) - <dev-lang/erlang-19.1: Heap overflow (CVE-2016-10253)
Summary: <dev-lang/erlang-19.1: Heap overflow (CVE-2016-10253)
Alias: CVE-2016-10253
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2017-11-03 15:30 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2018-03-28 19:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-03 15:30:25 UTC

An issue was discovered in Erlang/OTP 18.x. Erlang's generation of compiled regular expressions is vulnerable to a heap overflow. Regular expressions using a malformed extpattern can indirectly specify an offset that is used as an array index. This ordinal permits arbitrary regions within the erts_alloc arena to be both read and written to.

@Maintainers please clean 18.x.

Thank you
Comment 1 Pacho Ramos gentoo-dev 2018-02-06 08:48:32 UTC
this is maintainer-needed... hence, feel free to remove the offending versions if you want
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-03-25 20:35:01 UTC

GLSA Vote: No
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-03-25 21:09:04 UTC
too many revedps on 18.x that caused breakage.  re-opened until cleanup can properly occur.
Comment 4 Pacho Ramos gentoo-dev 2018-03-28 19:01:14 UTC
all should be handled (cleaned) now
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-03-28 19:12:37 UTC
(In reply to Pacho Ramos from comment #4)
> all should be handled (cleaned) now

Thanks, Pacho!