Bugzilla – Bug 921950
VUL-0: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Last modified: 2020-04-28 12:10:46 UTC
Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability. CWE-122: Heap-based Buffer Overflow https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ http://www.kb.cert.org/vuls/id/695940 The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory. Vulnerable function: > int /* 0 success, otherwise REG_something */ > regcomp(preg, pattern, cflags) > regex_t *preg; > const char *pattern; > int cflags; > { Vulnerable code: > len = strlen((char *)pattern); > [...] > p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */ > p->strip = (sop *)malloc(p->ssize * sizeof(sop)); 32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.) The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code. This issue is tracking the source review of all packages. Initial candidate list, started from: https://security-tracker.debian.org/tracker/TEMP-0778389-A8C6F9 Bionic libc LLVM MySQL server mariadb PHP alpine clamav cups efl haskell-regex-posix kews newlib nvi olsrd openrpt php5 php53 ptlib radare2 sma vigor vnc4 yap z88dk
Checking for packages with files named regcomp.c, found the following: PHP: yes - bug 922022 XEN: yes - bug 922028 LLVM: yes - bug 922030 ocfs2-tools: no glibc: no grub2: no augeas: no smartmontools: no parted: no nagios: no perl: no mysql: yes - bug 22043 libvirt: no
bugbot adjusting priority
Created attachment 626967 [details] patch from dragonflybsd / libc http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c not reviewed
List for SLE 11 SP3 with files named regcomp.c: PHP: yes - bug 922022 XEN: yes - bug 922028 LLVM: yes - bug 922030 ocfs2-tools: no glibc: no grub2: no augeas: no smartmontools: no parted: no nagios: no perl: no mysql: yes - bug 922043 libvirt: no
Created attachment 627001 [details] upstream patch from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334 From https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334
SLE 12 GA review, for completeness only as 64 bit not affected: m4: no git: no ksh: no man: no sed: no tar: no tcl: no (old version?) xen: yes (as above) cups: yes gawk: no grep: no lftp: no llvm: yes (as above) perl: no php: yes (as above) wget: no diffutils: no ocfs: no clisp: no ctags: no glibc grub2: no guile: no gettext-runtime: no wdiff: no lensfun: no libvirt: no fastjar: no findutils: no python-wxWidgets: no texlive: no amanda: no augeas: no clamav: yes (found on SLE 11) bug 922560 ptlib: yes bug 922567 wxWidgets: no smartmontools: no parted: no ruby: no onig: no idutils: no novell-NLDAPsdk: no postgresql: no (other version?) perl-Tk: no coreutils: no clamav-nodb: bug 922560
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-05-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61644
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1
Done