Bugzilla – Bug 922560
VUL-1: clamav, clamav-nodb: uses regular expressions (regex) library contains a heap overflow vulnerability
Last modified: 2019-08-16 17:03:28 UTC
+++ This bug was initially created as a clone of Bug #921950 +++
Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability.
CWE-122: Heap-based Buffer Overflow
The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.
> int /* 0 success, otherwise REG_something */
> regcomp(preg, pattern, cflags)
> regex_t *preg;
> const char *pattern;
> int cflags;
> len = strlen((char *)pattern);
> p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
> p->strip = (sop *)malloc(p->ssize * sizeof(sop));
32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.)
The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code.
Found in clamav on SLE 11 (and SLE12) in libclamav/regex/regcomp.c
Upstream patch is in attachment 627001 [details] of parent bug 921950
bugbot adjusting priority
Checked the build log, regcomp.c is built.
This will be fixed by upgrading to version 0.98.7.
*** This bug has been marked as a duplicate of bug 929192 ***
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-05-14.
When done, reassign the bug to email@example.com.