| Name | CVE-2015-2305 |
| Description | Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-233-1, DLA-444-1, DSA-3195-1 |
| Debian Bugs | 778389, 778391, 778392, 778393, 778394, 778397, 778398, 778402, 778403, 778404, 778406, 778408, 778409, 778410, 778412 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| alpine (PTS) | jessie, jessie (lts) | 2.11+dfsg1-3+deb8u1 | fixed |
| stretch | 2.20+dfsg1-7 | fixed |
| buster | 2.21+dfsg1-1.1 | fixed |
| bullseye | 2.24+dfsg1-1 | fixed |
| bookworm | 2.26+dfsg-1 | fixed |
| sid, trixie | 2.26+dfsg-2 | fixed |
| clamav (PTS) | jessie, jessie (lts) | 0.103.9+dfsg-0+deb8u1 | fixed |
| stretch (security) | 0.103.6+dfsg-0+deb9u1 | fixed |
| stretch (lts), stretch | 0.103.9+dfsg-0+deb9u1 | fixed |
| buster (security), buster, buster (lts) | 0.103.9+dfsg-0+deb10u1 | fixed |
| bullseye | 0.103.10+dfsg-0+deb11u1 | fixed |
| bookworm | 1.0.5+dfsg-1~deb12u1 | fixed |
| sid, trixie | 1.4.1+dfsg-1 | fixed |
| cups (PTS) | jessie, jessie (lts) | 1.7.5-11+deb8u12 | fixed |
| stretch (security) | 2.2.1-8+deb9u8 | fixed |
| stretch (lts), stretch | 2.2.1-8+deb9u12 | fixed |
| buster, buster (lts) | 2.2.10-6+deb10u11 | fixed |
| buster (security) | 2.2.10-6+deb10u10 | fixed |
| bullseye | 2.3.3op2-3+deb11u8 | fixed |
| bullseye (security) | 2.3.3op2-3+deb11u9 | fixed |
| bookworm | 2.4.2-3+deb12u7 | fixed |
| bookworm (security) | 2.4.2-3+deb12u8 | fixed |
| sid, trixie | 2.4.10-2 | fixed |
| efl (PTS) | jessie | 1.8.6-2.1 | fixed |
| stretch | 1.8.6-2.5 | fixed |
| buster | 1.21.1-5 | fixed |
| bullseye | 1.25.1-1 | fixed |
| bookworm | 1.26.3-1 | fixed |
| sid, trixie | 1.27.0-4 | fixed |
| haskell-regex-posix (PTS) | jessie | 0.95.2-3 | fixed |
| stretch | 0.95.2-9 | fixed |
| buster | 0.95.2-11 | fixed |
| bullseye | 0.96.0.0-1 | fixed |
| bookworm | 0.96.0.1-1 | fixed |
| sid, trixie | 0.96.0.1-3 | fixed |
| knews (PTS) | jessie | 1.0b.1-29 | fixed |
| stretch | 1.0b.1-31 | fixed |
| buster | 1.0b.1-32 | fixed |
| bullseye | 1.0b.1-33 | fixed |
| bookworm | 1.0b.1-35 | fixed |
| sid, trixie | 1.0b.1-38 | fixed |
| librcsb-core-wrapper (PTS) | jessie | 1.005-3 | fixed |
| stretch | 1.005-4 | fixed |
| buster | 1.005-6 | fixed |
| bullseye | 1.005-10 | fixed |
| bookworm | 1.005-11 | fixed |
| sid, trixie | 1.005-12 | fixed |
| llvm-toolchain-3.4 (PTS) | jessie | 1:3.4.2-13 | vulnerable |
| llvm-toolchain-3.5 (PTS) | jessie | 1:3.5-10 | vulnerable |
| llvm-toolchain-3.7 (PTS) | stretch | 1:3.7.1-5 | fixed |
| newlib (PTS) | jessie | 2.1.0+git20140818.1a8323b-2 | fixed |
| stretch | 2.4.0.20160527-2 | fixed |
| buster | 3.1.0.20181231-1 | fixed |
| bullseye | 3.3.0-1 | fixed |
| bookworm | 3.3.0-1.3+deb12u1 | fixed |
| sid, trixie | 4.4.0.20231231-4 | fixed |
| nvi (PTS) | jessie | 1.81.6-11 | vulnerable |
| stretch | 1.81.6-13 | fixed |
| buster | 1.81.6-15 | fixed |
| bullseye | 1.81.6-16 | fixed |
| bookworm | 1.81.6-17 | fixed |
| sid, trixie | 1.81.6-23 | fixed |
| olsrd (PTS) | jessie, buster, stretch | 0.6.6.2-1 | fixed |
| openrpt (PTS) | jessie | 3.3.7-1 | vulnerable |
| stretch | 3.3.12-2 | vulnerable |
| buster | 3.3.14-2 | vulnerable |
| php5 (PTS) | jessie, jessie (lts) | 5.6.40+dfsg-0+deb8u21 | fixed |
| ptlib (PTS) | jessie | 2.10.10~dfsg-4.1 | vulnerable |
| stretch | 2.10.11~dfsg-2.1 | vulnerable |
| radare2 (PTS) | jessie | 0.9.6-3.1+deb8u1 | vulnerable |
| sid, trixie | 5.9.4+dfsg-1 | fixed |
| sma (PTS) | jessie, buster, stretch | 1.4-3 | fixed |
| sid, trixie, bullseye, bookworm | 1.4-3.1 | fixed |
| vigor (PTS) | jessie | 0.016-24 | fixed |
| stretch | 0.016-25 | fixed |
| buster | 0.016-27 | fixed |
| bullseye | 0.016-28 | fixed |
| bookworm | 0.016-30 | fixed |
| sid, trixie | 0.016-33 | fixed |
| vnc4 (PTS) | jessie | 4.1.1+X4.3.0-37.6 | vulnerable |
| buster, stretch | 4.1.1+X4.3.0+t-1 | fixed |
| yap (PTS) | jessie | 6.2.2-2 | vulnerable |
| stretch | 6.2.2-6 | fixed |
The information below is based on the following data on fixed versions.
Notes
- olsrd <not-affected> (only when building on Android, see bug #778390)
[jessie] - llvm-toolchain-3.4 <no-dsa> (Minor issue)
[jessie] - llvm-toolchain-3.5 <no-dsa> (Minor issue)
- haskell-regex-posix <not-affected> (only when building on Windows, see bug #778395)
- cups <not-affected> (Local regex copy only used when building on Windows, see #778396)
- z88dk <not-affected> (Local regex copy only used when building on Windows, see bug #778399)
[squeeze] - newlib <no-dsa> (Minor issue)
[wheezy] - newlib <no-dsa> (Minor issue)
[jessie] - yap <no-dsa> (Minor issue)
[squeeze] - yap <no-dsa> (Minor issue)
[wheezy] - yap <no-dsa> (Minor issue)
affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package
- sma <not-affected> (Local regex copy only used when building on Windows, see #778411)
Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
[jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
ptlib uses the regex code from glibc, local fallback code not used
- alpine <not-affected> (alpine uses the regex code from glibc, local fallback code not used, bug #778413)
No security impact in nvi/vigor and openrpt
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
https://www.openwall.com/lists/oss-security/2015/02/16/8