CVE-2015-2305

NameCVE-2015-2305
DescriptionInteger overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-233-1, DLA-444-1, DSA-3195-1
NVD severitymedium (attack range: remote)
Debian Bugs778389, 778391, 778392, 778393, 778394, 778397, 778398, 778402, 778403, 778404, 778406, 778408, 778409, 778410, 778412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
alpine (PTS)jessie2.11+dfsg1-3fixed
stretch2.20+dfsg1-7fixed
buster, sid2.21+dfsg1-1fixed
clamav (PTS)jessie0.100.0+dfsg-0+deb8u1fixed
stretch0.100.0+dfsg-0+deb9u2fixed
buster, sid0.100.1+dfsg-1fixed
cups (PTS)jessie1.7.5-11+deb8u2fixed
jessie (security)1.7.5-11+deb8u4fixed
stretch2.2.1-8+deb9u1fixed
stretch (security)2.2.1-8+deb9u2fixed
buster, sid2.2.8-5fixed
efl (PTS)jessie1.8.6-2.1fixed
stretch1.8.6-2.5fixed
buster, sid1.20.7-6fixed
haskell-regex-posix (PTS)jessie0.95.2-3fixed
stretch0.95.2-9fixed
buster, sid0.95.2-10fixed
knews (PTS)jessie1.0b.1-29fixed
buster, stretch, sid1.0b.1-31fixed
librcsb-core-wrapper (PTS)jessie1.005-3fixed
stretch1.005-4fixed
buster, sid1.005-5fixed
llvm-toolchain-3.4 (PTS)jessie1:3.4.2-13vulnerable
llvm-toolchain-3.5 (PTS)jessie1:3.5-10vulnerable
llvm-toolchain-3.7 (PTS)stretch1:3.7.1-5fixed
llvm-toolchain-snapshot (PTS)sid1:7~svn331965-1fixed
newlib (PTS)jessie2.1.0+git20140818.1a8323b-2fixed
stretch2.4.0.20160527-2fixed
buster, sid3.0.0.20180802-2fixed
nvi (PTS)jessie1.81.6-11vulnerable
buster, stretch, sid1.81.6-13fixed
olsrd (PTS)buster, jessie, stretch, sid0.6.6.2-1fixed
openrpt (PTS)jessie3.3.7-1vulnerable
stretch3.3.12-2vulnerable
buster, sid3.3.14-1vulnerable
php5 (PTS)jessie5.6.33+dfsg-0+deb8u1fixed
jessie (security)5.6.36+dfsg-0+deb8u1fixed
ptlib (PTS)jessie2.10.10~dfsg-4.1vulnerable
stretch, sid2.10.11~dfsg-2.1vulnerable
radare2 (PTS)jessie0.9.6-3.1+deb8u1vulnerable
stretch1.1.0+dfsg-5fixed
buster, sid2.8.0+dfsg-1fixed
sma (PTS)buster, jessie, stretch, sid1.4-3fixed
vigor (PTS)jessie0.016-24fixed
stretch0.016-25fixed
buster, sid0.016-26fixed
vnc4 (PTS)jessie4.1.1+X4.3.0-37.6vulnerable
buster, stretch, sid4.1.1+X4.3.0+t-1fixed
yap (PTS)jessie6.2.2-2vulnerable
stretch, sid6.2.2-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
alpinesource(unstable)(not affected)
clamavsource(unstable)0.98.7+dfsg-1unimportant778406
clamavsourcejessie0.98.7+dfsg-0+deb8u1medium
clamavsourcesqueeze0.98.7+dfsg-0+deb6u1medium
clamavsourcewheezy0.98.7+dfsg-0+deb7u1medium
cupssource(unstable)(not affected)
eflsource(unstable)(not affected)
haskell-regex-posixsource(unstable)(not affected)
knewssource(unstable)(not affected)
librcsb-core-wrappersource(unstable)1.005-3medium778397
llvm-toolchain-3.4source(unstable)(unfixed)low778391
llvm-toolchain-3.5source(unstable)1:3.5.2-2low778392
llvm-toolchain-3.6source(unstable)1:3.6-1medium778393
llvm-toolchain-3.7source(unstable)1:3.7~+rc3-1medium
llvm-toolchain-snapshotsource(unstable)1:3.8~svn245286-1medium778394
newlibsource(unstable)2.0.0-1medium778408
nvisource(unstable)1.81.6-13unimportant778412
olsrdsource(unstable)(not affected)
openrptsource(unstable)(unfixed)unimportant778398
php5source(unstable)5.6.6+dfsg-1low778389
php5sourcesqueeze5.3.3.1-7+squeeze29mediumDLA-444-1
php5sourcewheezy5.4.38-0+deb7u1mediumDSA-3195-1
ptlibsource(unstable)(unfixed)unimportant778404
radare2source(unstable)0.10.5+dfsg-1low778402
smasource(unstable)(not affected)
vigorsource(unstable)0.016-24unimportant778409
vigorsourcewheezy0.016-19+deb7u1medium
vnc4source(unstable)4.1.1+X4.3.0+t-1unimportant778403
yapsource(unstable)6.2.2-3low778410
z88dksource(unstable)(not affected)

Notes

- olsrd <not-affected> (only when building on Android, see bug #778390)
[jessie] - llvm-toolchain-3.4 <no-dsa> (Minor issue)
[jessie] - llvm-toolchain-3.5 <no-dsa> (Minor issue)
- haskell-regex-posix <not-affected> (only when building on Windows, see bug #778395)
- cups <not-affected> (Local regex copy only used when building on Windows, see #778396)
- z88dk <not-affected> (Local regex copy only used when building on Windows, see bug #778399)
[squeeze] - newlib <no-dsa> (Minor issue)
[wheezy] - newlib <no-dsa> (Minor issue)
[jessie] - yap <no-dsa> (Minor issue)
[squeeze] - yap <no-dsa> (Minor issue)
[wheezy] - yap <no-dsa> (Minor issue)
affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package
- sma <not-affected> (Local regex copy only used when building on Windows, see #778411)
Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
[jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
ptlib uses the regex code from glibc, local fallback code not used
- alpine <not-affected> (alpine uses the regex code from glibc, local fallback code not used, bug #778413)
No security impact in nvi/vigor and openrpt
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.openwall.com/lists/oss-security/2015/02/16/8

Search for package or bug name: Reporting problems