CVE-2015-2305

NameCVE-2015-2305
DescriptionInteger overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-233-1, DLA-444-1, DSA-3195-1
NVD severitymedium
Debian Bugs778389, 778391, 778392, 778393, 778394, 778397, 778398, 778402, 778403, 778404, 778406, 778408, 778409, 778410, 778412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
alpine (PTS)stretch2.20+dfsg1-7fixed
buster2.21+dfsg1-1.1fixed
bullseye, sid2.24+dfsg1-1fixed
clamav (PTS)stretch0.102.3+dfsg-0~deb9u1fixed
stretch (security)0.102.4+dfsg-0+deb9u1fixed
buster0.102.4+dfsg-0+deb10u1fixed
bullseye, sid0.102.4+dfsg-1fixed
cups (PTS)stretch2.2.1-8+deb9u6fixed
stretch (security)2.2.1-8+deb9u2fixed
buster2.2.10-6+deb10u3fixed
bullseye, sid2.3.3-3fixed
efl (PTS)stretch1.8.6-2.5fixed
buster1.21.1-5fixed
bullseye1.24.3-5fixed
sid1.25.1-1fixed
haskell-regex-posix (PTS)stretch0.95.2-9fixed
buster0.95.2-11fixed
bullseye, sid0.96.0.0-1fixed
knews (PTS)stretch1.0b.1-31fixed
bullseye, sid, buster1.0b.1-32fixed
librcsb-core-wrapper (PTS)stretch1.005-4fixed
buster1.005-6fixed
sid1.005-8fixed
llvm-toolchain-3.7 (PTS)stretch1:3.7.1-5fixed
newlib (PTS)stretch2.4.0.20160527-2fixed
buster3.1.0.20181231-1fixed
bullseye, sid3.3.0-1fixed
nvi (PTS)stretch1.81.6-13fixed
buster1.81.6-15fixed
bullseye, sid1.81.6-16fixed
olsrd (PTS)buster, stretch0.6.6.2-1fixed
openrpt (PTS)stretch3.3.12-2vulnerable
buster3.3.14-2vulnerable
ptlib (PTS)stretch2.10.11~dfsg-2.1vulnerable
radare2 (PTS)sid4.3.1+dfsg-1fixed
sma (PTS)sid, buster, stretch1.4-3fixed
vigor (PTS)stretch0.016-25fixed
buster0.016-27fixed
bullseye, sid0.016-28fixed
vnc4 (PTS)buster, stretch4.1.1+X4.3.0+t-1fixed
yap (PTS)sid, stretch6.2.2-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
alpinesource(unstable)(not affected)
clamavsourcesqueeze0.98.7+dfsg-0+deb6u1
clamavsourcewheezy0.98.7+dfsg-0+deb7u1
clamavsourcejessie0.98.7+dfsg-0+deb8u1
clamavsource(unstable)0.98.7+dfsg-1unimportant778406
cupssource(unstable)(not affected)
eflsource(unstable)(not affected)
haskell-regex-posixsource(unstable)(not affected)
knewssource(unstable)(not affected)
librcsb-core-wrappersource(unstable)1.005-3778397
llvm-toolchain-3.4source(unstable)(unfixed)low778391
llvm-toolchain-3.5source(unstable)1:3.5.2-2low778392
llvm-toolchain-3.6source(unstable)1:3.6-1778393
llvm-toolchain-3.7source(unstable)1:3.7~+rc3-1
llvm-toolchain-snapshotunknown(unstable)1:3.8~svn245286-1778394
newlibsource(unstable)2.0.0-1778408
nvisource(unstable)1.81.6-13unimportant778412
olsrdsource(unstable)(not affected)
openrptsource(unstable)(unfixed)unimportant778398
php5sourcesqueeze5.3.3.1-7+squeeze29DLA-444-1
php5sourcewheezy5.4.38-0+deb7u1DSA-3195-1
php5source(unstable)5.6.6+dfsg-1low778389
ptlibsource(unstable)(unfixed)unimportant778404
radare2source(unstable)0.10.5+dfsg-1low778402
smasource(unstable)(not affected)
vigorsourcewheezy0.016-19+deb7u1
vigorsource(unstable)0.016-24unimportant778409
vnc4source(unstable)4.1.1+X4.3.0+t-1unimportant778403
yapsource(unstable)6.2.2-3low778410
z88dksource(unstable)(not affected)

Notes

- olsrd <not-affected> (only when building on Android, see bug #778390)
[jessie] - llvm-toolchain-3.4 <no-dsa> (Minor issue)
[jessie] - llvm-toolchain-3.5 <no-dsa> (Minor issue)
- haskell-regex-posix <not-affected> (only when building on Windows, see bug #778395)
- cups <not-affected> (Local regex copy only used when building on Windows, see #778396)
- z88dk <not-affected> (Local regex copy only used when building on Windows, see bug #778399)
[squeeze] - newlib <no-dsa> (Minor issue)
[wheezy] - newlib <no-dsa> (Minor issue)
[jessie] - yap <no-dsa> (Minor issue)
[squeeze] - yap <no-dsa> (Minor issue)
[wheezy] - yap <no-dsa> (Minor issue)
affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package
- sma <not-affected> (Local regex copy only used when building on Windows, see #778411)
Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
[jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
ptlib uses the regex code from glibc, local fallback code not used
- alpine <not-affected> (alpine uses the regex code from glibc, local fallback code not used, bug #778413)
No security impact in nvi/vigor and openrpt
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
https://www.openwall.com/lists/oss-security/2015/02/16/8

Search for package or bug name: Reporting problems