| Name | CVE-2015-2305 |
| Description | Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-233-1, DLA-444-1, DSA-3195-1 |
| Debian Bugs | 778389, 778391, 778392, 778393, 778394, 778397, 778398, 778402, 778403, 778404, 778406, 778408, 778409, 778410, 778412 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| alpine (PTS) | bullseye | 2.24+dfsg1-1 | fixed |
| sid, trixie, bookworm | 2.26+dfsg-1 | fixed |
| clamav (PTS) | bullseye | 0.103.10+dfsg-0+deb11u1 | fixed |
| bookworm | 1.0.5+dfsg-1~deb12u1 | fixed |
| sid, trixie | 1.3.1+dfsg-4 | fixed |
| cups (PTS) | bullseye | 2.3.3op2-3+deb11u6 | fixed |
| bullseye (security) | 2.3.3op2-3+deb11u2 | fixed |
| bookworm | 2.4.2-3+deb12u5 | fixed |
| sid, trixie | 2.4.10-1 | fixed |
| efl (PTS) | bullseye | 1.25.1-1 | fixed |
| bookworm | 1.26.3-1 | fixed |
| sid, trixie | 1.27.0-2 | fixed |
| haskell-regex-posix (PTS) | bullseye | 0.96.0.0-1 | fixed |
| bookworm | 0.96.0.1-1 | fixed |
| sid, trixie | 0.96.0.1-2 | fixed |
| knews (PTS) | bullseye | 1.0b.1-33 | fixed |
| bookworm | 1.0b.1-35 | fixed |
| sid, trixie | 1.0b.1-38 | fixed |
| librcsb-core-wrapper (PTS) | bullseye | 1.005-10 | fixed |
| bookworm | 1.005-11 | fixed |
| sid, trixie | 1.005-11.1 | fixed |
| newlib (PTS) | bullseye | 3.3.0-1 | fixed |
| bookworm | 3.3.0-1.3 | fixed |
| sid, trixie | 4.4.0.20231231-4 | fixed |
| nvi (PTS) | bullseye | 1.81.6-16 | fixed |
| bookworm | 1.81.6-17 | fixed |
| sid, trixie | 1.81.6-22 | fixed |
| radare2 (PTS) | sid, trixie | 5.9.2+dfsg-1 | fixed |
| sma (PTS) | sid, trixie, bookworm, bullseye | 1.4-3.1 | fixed |
| vigor (PTS) | bullseye | 0.016-28 | fixed |
| bookworm | 0.016-30 | fixed |
| sid, trixie | 0.016-33 | fixed |
| yap (PTS) | sid | 6.2.2-6 | fixed |
The information below is based on the following data on fixed versions.
Notes
- olsrd <not-affected> (only when building on Android, see bug #778390)
[jessie] - llvm-toolchain-3.4 <no-dsa> (Minor issue)
[jessie] - llvm-toolchain-3.5 <no-dsa> (Minor issue)
- haskell-regex-posix <not-affected> (only when building on Windows, see bug #778395)
- cups <not-affected> (Local regex copy only used when building on Windows, see #778396)
- z88dk <not-affected> (Local regex copy only used when building on Windows, see bug #778399)
[squeeze] - newlib <no-dsa> (Minor issue)
[wheezy] - newlib <no-dsa> (Minor issue)
[jessie] - yap <no-dsa> (Minor issue)
[squeeze] - yap <no-dsa> (Minor issue)
[wheezy] - yap <no-dsa> (Minor issue)
affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package
- sma <not-affected> (Local regex copy only used when building on Windows, see #778411)
Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
[jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
ptlib uses the regex code from glibc, local fallback code not used
- alpine <not-affected> (alpine uses the regex code from glibc, local fallback code not used, bug #778413)
No security impact in nvi/vigor and openrpt
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
https://www.openwall.com/lists/oss-security/2015/02/16/8