Debian Bug report logs - #778390
olsrd: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Package: olsrd; Maintainer for olsrd is Roland Stigge <stigge@antcom.de>; Source for olsrd is src:olsrd (PTS, buildd, popcon).

Reported by: Luciano Bello <luciano@debian.org>

Date: Sat, 14 Feb 2015 14:27:01 UTC

Severity: important

Tags: patch, security

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#778390; Package olsrd. (Sat, 14 Feb 2015 14:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Roland Stigge <stigge@antcom.de>. (Sat, 14 Feb 2015 14:27:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: olsrd
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Mon, 16 Feb 2015 16:27:25 GMT) (full text, mbox, link).

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Mon, 16 Feb 2015 16:27:26 GMT) (full text, mbox, link).

Message #10 received at 778390-done@bugs.debian.org (full text, mbox, reply):

On Sat, Feb 14, 2015 at 03:21:48PM +0100, Luciano Bello wrote:
> Package: olsrd
> Severity: important
> Tags: security patch
> 
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.

The affected code is only used in the Android port.

Cheers,
        Moritz

Changed Bug title to 'olsrd: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' from 'Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Mar 2015 11:57:06 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 14 Apr 2015 07:34:38 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:45:39 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #778390 olsrd: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Debian Bug report logs - #778390
olsrd: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability