Your message dated Sat, 28 Mar 2026 08:34:00 +0000
with message-id <[email protected]>
and subject line Bug#1128782: fixed in re2c 4.5.1-1
has caused the Debian Bug report #1128782,
regarding re2c: CVE-2026-2903
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128782: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128782
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: re2c
Version: 4.4-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/skvadrik/re2c/issues/571
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for re2c.
CVE-2026-2903[0]:
| A flaw has been found in skvadrik re2c up to 4.4. Impacted is the
| function check_and_merge_special_rules of the file src/parse/ast.cc.
| This manipulation causes null pointer dereference. The attack can
| only be executed locally. The exploit has been published and may be
| used. Patch name: febeb977936f9519a25d9fbd10ff8256358cdb97. It is
| suggested to install a patch to address this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2903
https://www.cve.org/CVERecord?id=CVE-2026-2903
[1] https://github.com/skvadrik/re2c/issues/571
[2]
https://github.com/skvadrik/re2c/commit/febeb977936f9519a25d9fbd10ff8256358cdb97
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: re2c
Source-Version: 4.5.1-1
Done: Jeroen Ploemen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
re2c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeroen Ploemen <[email protected]> (supplier of updated re2c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Mar 2026 08:16:29 +0000
Source: re2c
Built-For-Profiles: noudeb
Architecture: source
Version: 4.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Jeroen Ploemen <[email protected]>
Changed-By: Jeroen Ploemen <[email protected]>
Closes: 1047901 1128782
Changes:
re2c (4.5.1-1) unstable; urgency=medium
.
* New upstream version 4.5.1:
+ fixes the null pointer dereference issue tracked as CVE-2026-2903.
(Closes: #1128782)
* Clean: include some files under bootstrap/src/parse to fix building
the source package after a successful build of the binary package.
(Closes: #1047901, again)
* Control: remove redundant Priority field.
Checksums-Sha1:
a94ffedcf46a0fd08f03d72ae5158bd9b40ff486 1922 re2c_4.5.1-1.dsc
99de0fb5edf96273aa619e4c69a8a702873d2e03 1926044 re2c_4.5.1.orig.tar.xz
8a8548494039a6c2636ed9567caa80d1e986a9c6 9148 re2c_4.5.1-1.debian.tar.xz
81576cfc4eda9ce26d1a0bdfe9961af78d7d6b0d 15137 re2c_4.5.1-1_source.buildinfo
Checksums-Sha256:
743e1db21900305c9c08b77933a7e7ff6c2df6efd7bc03a6f84c41cf3bc14909 1922
re2c_4.5.1-1.dsc
ffea067c11aa668bcb42885be6e6cd000302000b7747d2bb213299ec66b7864e 1926044
re2c_4.5.1.orig.tar.xz
159ec2f176401f4e8c6aad7e1f8bd8236b57e6eaeb90e56061fe57a80466034d 9148
re2c_4.5.1-1.debian.tar.xz
7c59157e62ad8cc4327854f61122f7e231dbaf1f6825ae3101b4ac72f0faca70 15137
re2c_4.5.1-1_source.buildinfo
Files:
b117f02be342714de300138d8921bde2 1922 devel - re2c_4.5.1-1.dsc
a6794201ce0e9df050873ce4988cd6fd 1926044 devel - re2c_4.5.1.orig.tar.xz
00a3c560135c8fdf5c71a2f10f9970ed 9148 devel - re2c_4.5.1-1.debian.tar.xz
3aa7a2456fd84c33b53f2e5e143d0860 15137 devel - re2c_4.5.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmnHjqMACgkQQoMEoXSN
zHr0qxAAqhYtvfsjiTDhShm5n1t/Lr1KZssKSIDb11jlODkL4KIGkQm61hFTdOjF
4MrOrcTN13Jl3whEvpTVsYe1O8AjejZRjVM3JYPagB7qGOD3isbC90XoCXQ/O2Za
SOpZGT6YDhEVp9+CEVNHr1p1JzWzeQXTjNKqIRTUIR8ta8XxjpKK7qXqmzj/NHyg
EEfilYwVEzjxKcHSTm+0UXg7sTFhPshqNc3JUxFD8WlaZtCduZ3iWer0AZ7VEjAo
+rqVqA6DhiAWeVzZXtqsXSpTkTNVp0hMOVLEsrFgK3ItrIKCOypkSEwVtkOpbC1A
60wNpApKce7IPF5g4SFtxQkK6GRe4Bel3jHhe9Zm/nDcHZ0rqKYU9w7e4dQu1CQd
X0F/ipwH6PQOXaMxlau42i/OD6ci5jIjd8IJtKK2LRsPXzHRaQgllQlK3m3d2CkD
6y3f9Wk2r2CCThbj0kUA/DtX47DylFrYjLvA14qQcWUp4lfhaqazuHL9MjxNSny2
iQu9qgefmXZtRMFThWAX9WnzVwJhy/JCIaKDC2b5eKaVOX8DpUPFQEhKo1lsxDkt
a82A+bq7Kvj34meKeryQ8PNkCnX5j8AWQdKbSFZJmRcmkBHHtQqI5f9yL3aHtJTv
wuJu46O7s4xrtqUeV4VUxQa+ox6hNRP5pKg6Oz6vWKg/hGTownY=
=AgrH
-----END PGP SIGNATURE-----
pgpZSrz9jlybW.pgp
Description: PGP signature
--- End Message ---
