Martin Pitt wrote:
Every nontrivial package contains a makefile or a build script, so it executes arbitrary code anyway. The only semi-realistic threat is when somebody sets a teaching site, where anybody can submit a program for syntax checking.
Looking at the description I see that the problem is due to line:
*YY_G(yy_state_ptr)++ = yy_current_state;
similar line is present in flex scanners generated with older flex versions, but only if the scanner uses reject rules.
AFAICS GPC scanner do not have this problem: `pascal-lex.c' do not contain `yy_state_ptr'.
ATM I see no need.
Waldek Hebisch wrote:
Of course, strictly speaking, Martin is right, but for practical purposes I agree with Waldek.
Yes, I avoided REJECT because of the performance penalty. So if that's all that's affected (I still get a 500 on the above page, and I haven't searched again now), then we have no problem anyway.
Still it might be useful to install 2.5.33 on one's system if one also builds other packages which might use flex and perhaps contain REJECT. Anyway, I'll test with 2.5.33 now, and you can test with another version, if you prefer.
Frank
-
Frank Heckenbach -
Waldek Hebisch