[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Flex security update: RCE in generated code (CVE-2016-6354)

From: Ludovic Courtès
Subject: Re: Flex security update: RCE in generated code (CVE-2016-6354)
Date: Sat, 27 Aug 2016 23:48:10 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)


Leo Famulari <address@hidden> skribis:

> On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
>> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
>> * gnu/packages/flex.scm (flex)[replacement]: New field.
>> (flex/fixed): New variable.
>> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
>> * gnu/ (dist_patch_DATA): Add it.
> As Mark pointed out on #guix, bugs in flex's generated code can not be
> addressed with a graft.

Indeed.  We should add this patch to ‘core-updates’ and start building
it (I haven’t checked the status of the various branches, though.)

> Also, the upstream tarballs that we build from often contain code
> generated by flex.

Yes, and finding out which tarballs contain vulnerable lexers (or
contain Flex-generated stuff at all) sounds difficult.

Maybe people have developed scripts to help with that?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]