[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Flex security update: RCE in generated code (CVE-2016-6354)
|
From: |
Ludovic Courtès |
|
Subject: |
Re: Flex security update: RCE in generated code (CVE-2016-6354) |
|
Date: |
Sat, 27 Aug 2016 23:48:10 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Hello!
Leo Famulari <address@hidden> skribis:
> On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
>> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
>>
>> * gnu/packages/flex.scm (flex)[replacement]: New field.
>> (flex/fixed): New variable.
>> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>
> As Mark pointed out on #guix, bugs in flex's generated code can not be
> addressed with a graft.
Indeed. We should add this patch to ‘core-updates’ and start building
it (I haven’t checked the status of the various branches, though.)
> Also, the upstream tarballs that we build from often contain code
> generated by flex.
Yes, and finding out which tarballs contain vulnerable lexers (or
contain Flex-generated stuff at all) sounds difficult.
Maybe people have developed scripts to help with that?
Thanks,
Ludo’.