Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: re2c #1098

Closed
dongsupark opened this issue Jun 27, 2023 · 4 comments · Fixed by flatcar/scripts#2227
Closed

update: re2c #1098

dongsupark opened this issue Jun 27, 2023 · 4 comments · Fixed by flatcar/scripts#2227
Labels
advisory/only-sdk affects only Flatcar SDK advisory security advisory security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Jun 27, 2023
edited
Loading

Name: re2c
CVEs: CVE-2022-23901
CVSSs: 9.8
Action Needed: update to >= 3.1

Summary: A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc.

Note, even if it only says re2c 2.2, re2c 2.0.3 in Flatcar still looks affected.

As re2c is only included in the SDK, it has LOW severity.

refmap.gentoo: https://bugs.gentoo.org/836372
@dongsupark dongsupark added security security concerns advisory security advisory advisory/upstream-blocked blocked by upstream projects advisory/only-sdk affects only Flatcar SDK labels Jun 27, 2023
@dongsupark dongsupark moved this from 📝 Needs Triage to ⏳ Long Term in Flatcar tactical, release planning, and roadmap Jun 27, 2023
@sayanchowdhury
Copy link
Member

Upstream PR: gentoo/gentoo#32679

@dongsupark dongsupark moved this from ⏳ Long Term to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Sep 8, 2023
@dongsupark dongsupark moved this from ⚒️ In Progress to 🪵Backlog in Flatcar tactical, release planning, and roadmap Sep 11, 2023
@github-actions github-actions bot mentioned this issue Nov 10, 2023
Closed
@github-actions github-actions bot mentioned this issue Jan 22, 2024
Closed
@dongsupark dongsupark removed the advisory/upstream-blocked blocked by upstream projects label Feb 7, 2024
@dongsupark
Copy link
Member Author

Upstream bumped re2c to 3.1.
Interesting, PR of @sayanchowdhury is still open.

@github-actions github-actions bot mentioned this issue Feb 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Mar 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Apr 22, 2024
Closed
@github-actions github-actions bot mentioned this issue May 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Jun 22, 2024
Closed
@sayanchowdhury
Copy link
Member

Seems like it fell of the radar: gentoo/gentoo#32679 (comment)

@dongsupark
Copy link
Member Author

Seems like it fell of the radar: gentoo/gentoo#32679 (comment)

Yes, and they reimplemented it with a PR, and merged as commit. So we just need to update to 3.1.
Weekly updates are already syncing re2c. Flatcar does not have the new version just because 3.1 is still unstable.
Well, after all it is a SDK-only package.

@github-actions github-actions bot mentioned this issue Jul 22, 2024
Closed
@krnowak krnowak mentioned this issue Aug 13, 2024
Merged
2 tasks
@github-actions github-actions bot mentioned this issue Aug 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory/only-sdk affects only Flatcar SDK advisory security advisory security security concerns
Projects
Flatcar tactical, release planning, and roadmap
Status: Implemented
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Weekly portage-stable package updates 2024-08-12 flatcar/scripts
2 participants
@sayanchowdhury @dongsupark