CVE-2015-2305

NameCVE-2015-2305
DescriptionInteger overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-233-1, DLA-444-1, DSA-3195-1
Debian Bugs778389, 778391, 778392, 778393, 778394, 778397, 778398, 778402, 778403, 778404, 778406, 778408, 778409, 778410, 778412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
alpine (PTS)buster2.21+dfsg1-1.1fixed
bullseye2.24+dfsg1-1fixed
bookworm, sid2.26+dfsg-1fixed
clamav (PTS)buster0.103.6+dfsg-0+deb10u1fixed
bullseye0.103.7+dfsg-0+deb11u1fixed
bookworm, sid0.103.7+dfsg-1fixed
cups (PTS)buster, buster (security)2.2.10-6+deb10u6fixed
bullseye (security), bullseye2.3.3op2-3+deb11u2fixed
bookworm, sid2.4.2-1fixed
efl (PTS)buster1.21.1-5fixed
bullseye1.25.1-1fixed
bookworm, sid1.26.3-1fixed
haskell-regex-posix (PTS)buster0.95.2-11fixed
bookworm, bullseye0.96.0.0-1fixed
sid0.96.0.1-1fixed
knews (PTS)buster1.0b.1-32fixed
bullseye1.0b.1-33fixed
bookworm, sid1.0b.1-34fixed
librcsb-core-wrapper (PTS)buster1.005-6fixed
bookworm, sid, bullseye1.005-10fixed
llvm-toolchain-snapshot (PTS)sid1:15~++20220625103012+3d37e785c77a-1~exp1fixed
newlib (PTS)buster3.1.0.20181231-1fixed
bullseye3.3.0-1fixed
bookworm, sid3.3.0-1.3fixed
nvi (PTS)buster1.81.6-15fixed
bullseye1.81.6-16fixed
bookworm, sid1.81.6-17fixed
olsrd (PTS)buster0.6.6.2-1fixed
openrpt (PTS)buster3.3.14-2vulnerable
radare2 (PTS)sid5.5.0+dfsg-1fixed
sma (PTS)buster1.4-3fixed
bookworm, sid, bullseye1.4-3.1fixed
vigor (PTS)buster0.016-27fixed
bullseye0.016-28fixed
bookworm, sid0.016-29fixed
vnc4 (PTS)buster4.1.1+X4.3.0+t-1fixed
yap (PTS)sid6.2.2-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
alpinesource(unstable)(not affected)
clamavsourcesqueeze0.98.7+dfsg-0+deb6u1
clamavsourcewheezy0.98.7+dfsg-0+deb7u1
clamavsourcejessie0.98.7+dfsg-0+deb8u1
clamavsource(unstable)0.98.7+dfsg-1unimportant778406
cupssource(unstable)(not affected)
eflsource(unstable)(not affected)
haskell-regex-posixsource(unstable)(not affected)
knewssource(unstable)(not affected)
librcsb-core-wrappersource(unstable)1.005-3778397
llvm-toolchain-3.4source(unstable)(unfixed)low778391
llvm-toolchain-3.5source(unstable)1:3.5.2-2low778392
llvm-toolchain-3.6source(unstable)1:3.6-1778393
llvm-toolchain-3.7source(unstable)1:3.7~+rc3-1
llvm-toolchain-snapshotsource(unstable)1:3.8~svn245286-1778394
newlibsource(unstable)2.0.0-1778408
nvisource(unstable)1.81.6-13unimportant778412
olsrdsource(unstable)(not affected)
openrptsource(unstable)(unfixed)unimportant778398
php5sourcesqueeze5.3.3.1-7+squeeze29DLA-444-1
php5sourcewheezy5.4.38-0+deb7u1DSA-3195-1
php5source(unstable)5.6.6+dfsg-1low778389
ptlibsource(unstable)(unfixed)unimportant778404
radare2source(unstable)0.10.5+dfsg-1low778402
smasource(unstable)(not affected)
vigorsourcewheezy0.016-19+deb7u1
vigorsource(unstable)0.016-24unimportant778409
vnc4source(unstable)4.1.1+X4.3.0+t-1unimportant778403
yapsource(unstable)6.2.2-3low778410
z88dksource(unstable)(not affected)

Notes

- olsrd <not-affected> (only when building on Android, see bug #778390)
[jessie] - llvm-toolchain-3.4 <no-dsa> (Minor issue)
[jessie] - llvm-toolchain-3.5 <no-dsa> (Minor issue)
- haskell-regex-posix <not-affected> (only when building on Windows, see bug #778395)
- cups <not-affected> (Local regex copy only used when building on Windows, see #778396)
- z88dk <not-affected> (Local regex copy only used when building on Windows, see bug #778399)
[squeeze] - newlib <no-dsa> (Minor issue)
[wheezy] - newlib <no-dsa> (Minor issue)
[jessie] - yap <no-dsa> (Minor issue)
[squeeze] - yap <no-dsa> (Minor issue)
[wheezy] - yap <no-dsa> (Minor issue)
affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package
- sma <not-affected> (Local regex copy only used when building on Windows, see #778411)
Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
[jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
ptlib uses the regex code from glibc, local fallback code not used
- alpine <not-affected> (alpine uses the regex code from glibc, local fallback code not used, bug #778413)
No security impact in nvi/vigor and openrpt
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
https://www.openwall.com/lists/oss-security/2015/02/16/8

Search for package or bug name: Reporting problems