CVE-2015-2305

NameCVE-2015-2305
DescriptionInteger overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-233-1, DLA-444-1, DSA-3195-1
NVD severitymedium (attack range: remote)
Debian Bugs778389, 778391, 778392, 778393, 778394, 778397, 778398, 778402, 778403, 778404, 778406, 778408, 778409, 778410, 778412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
alpine (PTS)wheezy2.02+dfsg-2fixed
jessie2.11+dfsg1-3fixed
stretch, buster, sid2.20+dfsg1-7fixed
clamav (PTS)wheezy0.99+dfsg-0+deb7u2fixed
wheezy (security)0.99.2+dfsg-0+deb7u3fixed
jessie0.99.2+dfsg-0+deb8u2fixed
stretch0.99.2+dfsg-6fixed
buster, sid0.99.3~beta1+dfsg-2fixed
cups (PTS)wheezy, wheezy (security)1.5.3-5+deb7u6fixed
jessie (security), jessie1.7.5-11+deb8u1fixed
stretch2.2.1-8fixed
buster, sid2.2.5-2fixed
efl (PTS)jessie1.8.6-2.1fixed
stretch, buster, sid1.8.6-2.5fixed
haskell-regex-posix (PTS)wheezy0.95.1-2fixed
jessie0.95.2-3fixed
stretch, buster, sid0.95.2-9fixed
knews (PTS)wheezy1.0b.1-28fixed
jessie1.0b.1-29fixed
stretch, buster, sid1.0b.1-31fixed
librcsb-core-wrapper (PTS)jessie1.005-3fixed
stretch, buster, sid1.005-4fixed
llvm-toolchain-3.4 (PTS)jessie1:3.4.2-13vulnerable
llvm-toolchain-3.5 (PTS)jessie1:3.5-10vulnerable
llvm-toolchain-3.7 (PTS)stretch, buster, sid1:3.7.1-5fixed
llvm-toolchain-snapshot (PTS)sid1:6.0~svn315736-1fixed
newlib (PTS)wheezy1.18.0-6.2vulnerable
jessie2.1.0+git20140818.1a8323b-2fixed
stretch2.4.0.20160527-2fixed
buster, sid2.4.0.20160527-3fixed
nvi (PTS)wheezy1.81.6-8.2vulnerable
jessie1.81.6-11vulnerable
stretch, buster, sid1.81.6-13fixed
olsrd (PTS)wheezy0.6.2-2.1fixed
jessie, stretch, buster, sid0.6.6.2-1fixed
openrpt (PTS)jessie3.3.7-1vulnerable
stretch, buster, sid3.3.12-2vulnerable
php5 (PTS)wheezy5.4.45-0+deb7u2fixed
wheezy (security)5.4.45-0+deb7u11fixed
jessie (security), jessie5.6.30+dfsg-0+deb8u1fixed
ptlib (PTS)wheezy2.10.4~dfsg-1vulnerable
jessie2.10.10~dfsg-4.1vulnerable
stretch, buster, sid2.10.11~dfsg-2.1vulnerable
radare2 (PTS)wheezy0.9-3vulnerable
wheezy (security)0.9-3+deb7u3vulnerable
jessie0.9.6-3.1+deb8u1vulnerable
stretch1.1.0+dfsg-5fixed
buster, sid2.0.0+dfsg-1fixed
sma (PTS)wheezy1.4-2fixed
jessie, stretch, buster, sid1.4-3fixed
vigor (PTS)wheezy0.016-19+deb7u1fixed
jessie0.016-24fixed
stretch, buster, sid0.016-25fixed
vnc4 (PTS)wheezy4.1.1+X4.3.0-37.1vulnerable
jessie4.1.1+X4.3.0-37.6vulnerable
stretch, buster, sid4.1.1+X4.3.0+t-1fixed
yap (PTS)wheezy5.1.3-6vulnerable
jessie6.2.2-2vulnerable
stretch, buster, sid6.2.2-6fixed
z88dk (PTS)wheezy1.8.ds1-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
alpinesource(unstable)(not affected)
clamavsource(unstable)0.98.7+dfsg-1unimportant778406
clamavsourcejessie0.98.7+dfsg-0+deb8u1medium
clamavsourcesqueeze0.98.7+dfsg-0+deb6u1medium
clamavsourcewheezy0.98.7+dfsg-0+deb7u1medium
cupssource(unstable)(not affected)
eflsource(unstable)(not affected)
haskell-regex-posixsource(unstable)(not affected)
knewssource(unstable)(not affected)
librcsb-core-wrappersource(unstable)1.005-3medium778397
llvm-toolchain-3.4source(unstable)(unfixed)low778391
llvm-toolchain-3.5source(unstable)1:3.5.2-2low778392
llvm-toolchain-3.6source(unstable)1:3.6-1medium778393
llvm-toolchain-3.7source(unstable)1:3.7~+rc3-1medium
llvm-toolchain-snapshotsource(unstable)1:3.8~svn245286-1medium778394
newlibsource(unstable)2.0.0-1medium778408
nvisource(unstable)1.81.6-13unimportant778412
olsrdsource(unstable)(not affected)
openrptsource(unstable)(unfixed)unimportant778398
php5source(unstable)5.6.6+dfsg-1low778389
php5sourcesqueeze5.3.3.1-7+squeeze29mediumDLA-444-1
php5sourcewheezy5.4.38-0+deb7u1mediumDSA-3195-1
ptlibsource(unstable)(unfixed)unimportant778404
radare2source(unstable)0.10.5+dfsg-1low778402
smasource(unstable)(not affected)
vigorsource(unstable)0.016-24unimportant778409
vigorsourcewheezy0.016-19+deb7u1medium
vnc4source(unstable)4.1.1+X4.3.0+t-1unimportant778403
yapsource(unstable)6.2.2-3low778410
z88dksource(unstable)(not affected)

Notes

- olsrd <not-affected> (only when building on Android, see bug #778390)
[jessie] - llvm-toolchain-3.4 <no-dsa> (Minor issue)
[jessie] - llvm-toolchain-3.5 <no-dsa> (Minor issue)
- haskell-regex-posix <not-affected> (only when building on Windows, see bug #778395)
- cups <not-affected> (Local regex copy only used when building on Windows, see #778396)
- z88dk <not-affected> (Local regex copy only used when building on Windows, see bug #778399)
[squeeze] - newlib <no-dsa> (Minor issue)
[wheezy] - newlib <no-dsa> (Minor issue)
[jessie] - yap <no-dsa> (Minor issue)
[squeeze] - yap <no-dsa> (Minor issue)
[wheezy] - yap <no-dsa> (Minor issue)
affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package
- sma <not-affected> (Local regex copy only used when building on Windows, see #778411)
Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
[jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
ptlib uses the regex code from glibc, local fallback code not used
- alpine <not-affected> (alpine uses the regex code from glibc, local fallback code not used, bug #778413)
No security impact in nvi/vigor and openrpt
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.openwall.com/lists/oss-security/2015/02/16/8

Search for package or bug name: Reporting problems