[Pkg-gauche-devel] backport of number parsing bug
Jens Thiele
karme at karme.de
Fri Feb 4 08:24:33 UTC 2011
NIIBE Yutaka <gniibe at fsij.org> writes:
> Thanks for your notification.
>
> 2011-02-03 15:47, Jens Thiele wrote:
>> any chance to get that into squeeze?
>
> Sorry, I don't think I can do that, given the release status of
> Debian.
maybe this should be fixed via debian security?
> I'd understand that the parsing bug would cause severe impacts to
> applications, say, some sort of DoS attacks. As far as I know, Debian
> doesn't include such an application written in Gauche. For a while,
> it is application writer's responsibility to work around this bug.
Hmm - wiliki is a good candidate. It uses x->integer to parse cgi
parameters. Note: (x->integer "2.2250738585072012e-308") hangs, too.
Example to hang wiliki:
.../cgi-bin/wiliki.cgi?c=hd&t=2.2250738585072012e-308
I really think this should be fixed in the gauche package.
How do/did the php and java packagers handle this?
Looks like the php lenny9 package "doesn't appear to be affected, for a
reason still unknown." [0] and for squeeze it was fixed on Wed, 05 Jan
2011 11:06:20 +0100.
The java problem probably is still to "new".
jens
[0] http://security-tracker.debian.org/tracker/CVE-2010-4645
More information about the Pkg-gauche-devel
mailing list