Bug 921950 (CVE-2015-2305)

Summary: VUL-0: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
Whiteboard: maint:running:61644:moderate CVSSv2:NVD:CVE-2015-2170:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2221:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2222:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2668:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2170:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2221:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2222:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2668:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2305:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-2305:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 922022, 922028, 922030, 922043, 922560, 922567, 929192    
Bug Blocks:    
Attachments: patch from dragonflybsd / libc
upstream patch from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334

Description Andreas Stieger 2015-03-12 09:05:01 UTC
Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability.

CWE-122: Heap-based Buffer Overflow

https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.kb.cert.org/vuls/id/695940

The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

Vulnerable function:
> int /* 0 success, otherwise REG_something */
> regcomp(preg, pattern, cflags)
> regex_t *preg;
> const char *pattern;
> int cflags;
> {

Vulnerable code:
> len = strlen((char *)pattern);
> [...]
> p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
> p->strip = (sop *)malloc(p->ssize * sizeof(sop));

32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.)

The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code.

This issue is tracking the source review of all packages.

Initial candidate list, started from:
https://security-tracker.debian.org/tracker/TEMP-0778389-A8C6F9

Bionic libc
LLVM
MySQL server
mariadb
PHP
alpine
clamav
cups
efl
haskell-regex-posix
kews
newlib
nvi
olsrd
openrpt
php5
php53
ptlib
radare2
sma
vigor
vnc4
yap
z88dk
Comment 1 Andreas Stieger 2015-03-12 16:12:56 UTC
Checking for packages with files named regcomp.c, found the following:

PHP: yes - bug 922022
XEN: yes - bug 922028
LLVM: yes - bug 922030
ocfs2-tools: no
glibc: no
grub2: no
augeas: no
smartmontools: no
parted: no
nagios: no
perl: no
mysql: yes - bug 22043
libvirt: no
Comment 2 Swamp Workflow Management 2015-03-12 23:00:14 UTC
bugbot adjusting priority
Comment 4 Andreas Stieger 2015-03-16 13:35:26 UTC
List for SLE 11 SP3 with files named regcomp.c:
PHP: yes - bug 922022
XEN: yes - bug 922028
LLVM: yes - bug 922030
ocfs2-tools: no
glibc: no
grub2: no
augeas: no
smartmontools: no
parted: no
nagios: no
perl: no
mysql: yes - bug 922043
libvirt: no
Comment 6 Andreas Stieger 2015-03-16 16:00:01 UTC
SLE 12 GA review, for completeness only as 64 bit not affected:
m4: no
git: no
ksh: no
man: no
sed: no
tar: no
tcl: no (old version?)
xen: yes (as above)
cups: yes
gawk: no
grep: no
lftp: no
llvm: yes (as above)
perl: no
php: yes (as above)
wget: no
diffutils: no
ocfs: no
clisp: no
ctags: no
glibc
grub2: no
guile: no
gettext-runtime: no
wdiff: no
lensfun: no
libvirt: no
fastjar: no
findutils: no
python-wxWidgets: no
texlive: no
amanda: no
augeas: no
clamav: yes (found on SLE 11)  bug 922560
ptlib: yes bug 922567
wxWidgets: no
smartmontools: no
parted: no
ruby: no
onig: no
idutils: no
novell-NLDAPsdk: no
postgresql: no (other version?)
perl-Tk: no
coreutils: no
clamav-nodb: bug 922560
Comment 7 Swamp Workflow Management 2015-04-30 08:17:56 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-05-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61644
Comment 8 Swamp Workflow Management 2016-06-21 11:12:43 UTC
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available.

Category: security (important)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-47.1
Comment 9 Alexandros Toptsoglou 2020-04-28 12:10:46 UTC
Done