CVE-2015-2305

NameCVE-2015-2305
DescriptionInteger overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-233-1, DLA-444-1, DSA-3195-1
Debian Bugs778389, 778391, 778392, 778393, 778394, 778397, 778398, 778402, 778403, 778404, 778406, 778408, 778409, 778410, 778412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
alpine (PTS)jessie, jessie (lts)2.11+dfsg1-3+deb8u1fixed
stretch2.20+dfsg1-7fixed
buster2.21+dfsg1-1.1fixed
bullseye2.24+dfsg1-1fixed
bookworm2.26+dfsg-1fixed
sid, trixie2.26+dfsg-2fixed
clamav (PTS)jessie, jessie (lts)0.103.9+dfsg-0+deb8u1fixed
stretch (security)0.103.6+dfsg-0+deb9u1fixed
stretch (lts), stretch0.103.9+dfsg-0+deb9u1fixed
buster (security), buster, buster (lts)0.103.9+dfsg-0+deb10u1fixed
bullseye0.103.10+dfsg-0+deb11u1fixed
bookworm1.0.5+dfsg-1~deb12u1fixed
sid, trixie1.4.1+dfsg-1fixed
cups (PTS)jessie, jessie (lts)1.7.5-11+deb8u12fixed
stretch (security)2.2.1-8+deb9u8fixed
stretch (lts), stretch2.2.1-8+deb9u12fixed
buster, buster (lts)2.2.10-6+deb10u11fixed
buster (security)2.2.10-6+deb10u10fixed
bullseye2.3.3op2-3+deb11u8fixed
bullseye (security)2.3.3op2-3+deb11u9fixed
bookworm2.4.2-3+deb12u7fixed
bookworm (security)2.4.2-3+deb12u8fixed
sid, trixie2.4.10-2fixed
efl (PTS)jessie1.8.6-2.1fixed
stretch1.8.6-2.5fixed
buster1.21.1-5fixed
bullseye1.25.1-1fixed
bookworm1.26.3-1fixed
sid, trixie1.27.0-4fixed
haskell-regex-posix (PTS)jessie0.95.2-3fixed
stretch0.95.2-9fixed
buster0.95.2-11fixed
bullseye0.96.0.0-1fixed
bookworm0.96.0.1-1fixed
sid, trixie0.96.0.1-3fixed
knews (PTS)jessie1.0b.1-29fixed
stretch1.0b.1-31fixed
buster1.0b.1-32fixed
bullseye1.0b.1-33fixed
bookworm1.0b.1-35fixed
sid, trixie1.0b.1-38fixed
librcsb-core-wrapper (PTS)jessie1.005-3fixed
stretch1.005-4fixed
buster1.005-6fixed
bullseye1.005-10fixed
bookworm1.005-11fixed
sid, trixie1.005-12fixed
llvm-toolchain-3.4 (PTS)jessie1:3.4.2-13vulnerable
llvm-toolchain-3.5 (PTS)jessie1:3.5-10vulnerable
llvm-toolchain-3.7 (PTS)stretch1:3.7.1-5fixed
newlib (PTS)jessie2.1.0+git20140818.1a8323b-2fixed
stretch2.4.0.20160527-2fixed
buster3.1.0.20181231-1fixed
bullseye3.3.0-1fixed
bookworm3.3.0-1.3+deb12u1fixed
sid, trixie4.4.0.20231231-4fixed
nvi (PTS)jessie1.81.6-11vulnerable
stretch1.81.6-13fixed
buster1.81.6-15fixed
bullseye1.81.6-16fixed
bookworm1.81.6-17fixed
sid, trixie1.81.6-23fixed
olsrd (PTS)jessie, buster, stretch0.6.6.2-1fixed
openrpt (PTS)jessie3.3.7-1vulnerable
stretch3.3.12-2vulnerable
buster3.3.14-2vulnerable
php5 (PTS)jessie, jessie (lts)5.6.40+dfsg-0+deb8u21fixed
ptlib (PTS)jessie2.10.10~dfsg-4.1vulnerable
stretch2.10.11~dfsg-2.1vulnerable
radare2 (PTS)jessie0.9.6-3.1+deb8u1vulnerable
sid, trixie5.9.4+dfsg-1fixed
sma (PTS)jessie, buster, stretch1.4-3fixed
sid, trixie, bullseye, bookworm1.4-3.1fixed
vigor (PTS)jessie0.016-24fixed
stretch0.016-25fixed
buster0.016-27fixed
bullseye0.016-28fixed
bookworm0.016-30fixed
sid, trixie0.016-33fixed
vnc4 (PTS)jessie4.1.1+X4.3.0-37.6vulnerable
buster, stretch4.1.1+X4.3.0+t-1fixed
yap (PTS)jessie6.2.2-2vulnerable
stretch6.2.2-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
alpinesource(unstable)(not affected)
clamavsourcesqueeze0.98.7+dfsg-0+deb6u1
clamavsourcewheezy0.98.7+dfsg-0+deb7u1
clamavsourcejessie0.98.7+dfsg-0+deb8u1
clamavsource(unstable)0.98.7+dfsg-1unimportant778406
cupssource(unstable)(not affected)
eflsource(unstable)(not affected)
haskell-regex-posixsource(unstable)(not affected)
knewssource(unstable)(not affected)
librcsb-core-wrappersource(unstable)1.005-3778397
llvm-toolchain-3.4source(unstable)(unfixed)low778391
llvm-toolchain-3.5source(unstable)1:3.5.2-2low778392
llvm-toolchain-3.6source(unstable)1:3.6-1778393
llvm-toolchain-3.7source(unstable)1:3.7~+rc3-1
llvm-toolchain-snapshotunknown(unstable)1:3.8~svn245286-1778394
newlibsource(unstable)2.0.0-1778408
nvisource(unstable)1.81.6-13unimportant778412
olsrdsource(unstable)(not affected)
openrptsource(unstable)(unfixed)unimportant778398
php5sourcesqueeze5.3.3.1-7+squeeze29DLA-444-1
php5sourcewheezy5.4.38-0+deb7u1DSA-3195-1
php5source(unstable)5.6.6+dfsg-1low778389
ptlibsource(unstable)(unfixed)unimportant778404
radare2source(unstable)0.10.5+dfsg-1low778402
smasource(unstable)(not affected)
vigorsourcewheezy0.016-19+deb7u1
vigorsource(unstable)0.016-24unimportant778409
vnc4source(unstable)4.1.1+X4.3.0+t-1unimportant778403
yapsource(unstable)6.2.2-3low778410
z88dksource(unstable)(not affected)

Notes

- olsrd <not-affected> (only when building on Android, see bug #778390)
[jessie] - llvm-toolchain-3.4 <no-dsa> (Minor issue)
[jessie] - llvm-toolchain-3.5 <no-dsa> (Minor issue)
- haskell-regex-posix <not-affected> (only when building on Windows, see bug #778395)
- cups <not-affected> (Local regex copy only used when building on Windows, see #778396)
- z88dk <not-affected> (Local regex copy only used when building on Windows, see bug #778399)
[squeeze] - newlib <no-dsa> (Minor issue)
[wheezy] - newlib <no-dsa> (Minor issue)
[jessie] - yap <no-dsa> (Minor issue)
[squeeze] - yap <no-dsa> (Minor issue)
[wheezy] - yap <no-dsa> (Minor issue)
affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package
- sma <not-affected> (Local regex copy only used when building on Windows, see #778411)
Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
[jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
ptlib uses the regex code from glibc, local fallback code not used
- alpine <not-affected> (alpine uses the regex code from glibc, local fallback code not used, bug #778413)
No security impact in nvi/vigor and openrpt
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
https://www.openwall.com/lists/oss-security/2015/02/16/8

Search for package or bug name: Reporting problems