Bug 921950 (CVE-2015-2305)

Summary:	VUL-0: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andreas Stieger <astieger>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	atoptsoglou, meissner
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
Whiteboard:	maint:running:61644:moderate CVSSv2:NVD:CVE-2015-2170:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2221:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2222:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2668:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2170:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2221:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2222:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2668:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2305:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-2305:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:	922022, 922028, 922030, 922043, 922560, 922567, 929192
Bug Blocks:
Attachments:	patch from dragonflybsd / libc upstream patch from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334

Description Andreas Stieger 2015-03-12 09:05:01 UTC

Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability.

CWE-122: Heap-based Buffer Overflow

https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.kb.cert.org/vuls/id/695940

The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

Vulnerable function:
> int /* 0 success, otherwise REG_something */
> regcomp(preg, pattern, cflags)
> regex_t *preg;
> const char *pattern;
> int cflags;
> {

Vulnerable code:
> len = strlen((char *)pattern);
> [...]
> p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
> p->strip = (sop *)malloc(p->ssize * sizeof(sop));

32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.)

The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code.

This issue is tracking the source review of all packages.

Initial candidate list, started from:
https://security-tracker.debian.org/tracker/TEMP-0778389-A8C6F9

Bionic libc
LLVM
MySQL server
mariadb
PHP
alpine
clamav
cups
efl
haskell-regex-posix
kews
newlib
nvi
olsrd
openrpt
php5
php53
ptlib
radare2
sma
vigor
vnc4
yap
z88dk

Comment 1 Andreas Stieger 2015-03-12 16:12:56 UTC

Checking for packages with files named regcomp.c, found the following:

PHP: yes - bug 922022
XEN: yes - bug 922028
LLVM: yes - bug 922030
ocfs2-tools: no
glibc: no
grub2: no
augeas: no
smartmontools: no
parted: no
nagios: no
perl: no
mysql: yes - bug 22043
libvirt: no

Comment 2 Swamp Workflow Management 2015-03-12 23:00:14 UTC

bugbot adjusting priority

Comment 3 Andreas Stieger 2015-03-16 11:00:29 UTC

Created attachment 626967 [details]
patch from dragonflybsd / libc

http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
not reviewed

Comment 4 Andreas Stieger 2015-03-16 13:35:26 UTC

List for SLE 11 SP3 with files named regcomp.c:
PHP: yes - bug 922022
XEN: yes - bug 922028
LLVM: yes - bug 922030
ocfs2-tools: no
glibc: no
grub2: no
augeas: no
smartmontools: no
parted: no
nagios: no
perl: no
mysql: yes - bug 922043
libvirt: no

Comment 5 Andreas Stieger 2015-03-16 13:36:04 UTC

Created attachment 627001 [details]
upstream patch from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334

From
https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334

Comment 6 Andreas Stieger 2015-03-16 16:00:01 UTC

SLE 12 GA review, for completeness only as 64 bit not affected:
m4: no
git: no
ksh: no
man: no
sed: no
tar: no
tcl: no (old version?)
xen: yes (as above)
cups: yes
gawk: no
grep: no
lftp: no
llvm: yes (as above)
perl: no
php: yes (as above)
wget: no
diffutils: no
ocfs: no
clisp: no
ctags: no
glibc
grub2: no
guile: no
gettext-runtime: no
wdiff: no
lensfun: no
libvirt: no
fastjar: no
findutils: no
python-wxWidgets: no
texlive: no
amanda: no
augeas: no
clamav: yes (found on SLE 11)  bug 922560
ptlib: yes bug 922567
wxWidgets: no
smartmontools: no
parted: no
ruby: no
onig: no
idutils: no
novell-NLDAPsdk: no
postgresql: no (other version?)
perl-Tk: no
coreutils: no
clamav-nodb: bug 922560

Comment 7 Swamp Workflow Management 2015-04-30 08:17:56 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-05-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61644

Comment 8 Swamp Workflow Management 2016-06-21 11:12:43 UTC

SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available.

Category: security (important)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-47.1

Comment 9 Alexandros Toptsoglou 2020-04-28 12:10:46 UTC

Done