Debian Bug report logs -
#778392
llvm-toolchain-3.5: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>:
Bug#778392; Package llvm-toolchain-3.5.
(Sat, 14 Feb 2015 14:27:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>.
(Sat, 14 Feb 2015 14:27:16 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: llvm-toolchain-3.5
Severity: important
Tags: security patch
The security team received a report from the CERT Coordination Center that the
Henry Spencer regular expressions (regex) library contains a heap overflow
vulnerability. It looks like this package includes the affected code at that's
the reason of this bug report.
The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
Please, can you confirm if the binary packages are affected? Are stable and
testing affected?
More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
A CVE id has been requested already and the report will be updated with it
eventually.
Cheers, luciano
Changed Bug title to 'llvm-toolchain-3.5: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' from 'Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 Mar 2015 11:57:08 GMT) (full text, mbox, link).
Reply sent
to Sylvestre Ledru <sylvestre@debian.org>:
You have taken responsibility.
(Mon, 17 Aug 2015 19:03:08 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Mon, 17 Aug 2015 19:03:08 GMT) (full text, mbox, link).
Message #14 received at 778392-close@bugs.debian.org (full text, mbox, reply):
Source: llvm-toolchain-3.5
Source-Version: 1:3.5.2-2
We believe that the bug you reported is fixed in the latest version of
llvm-toolchain-3.5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 778392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sylvestre Ledru <sylvestre@debian.org> (supplier of updated llvm-toolchain-3.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 17 Aug 2015 14:08:55 +0200
Source: llvm-toolchain-3.5
Binary: clang-3.5 clang-format-3.5 cpp11-migrate-3.5 clang-modernize-3.5 clang-3.5-doc libclang1-3.5 libclang1-3.5-dbg libclang-3.5-dev libclang-common-3.5-dev python-clang-3.5 clang-3.5-examples libllvm3.5v5 libllvm3.5-dbg llvm-3.5 llvm-3.5-runtime llvm-3.5-dev llvm-3.5-tools libllvm-3.5-ocaml-dev llvm-3.5-doc llvm-3.5-examples lldb-3.5 liblldb-3.5 python-lldb-3.5 liblldb-3.5-dev lldb-3.5-dev
Architecture: source all amd64
Version: 1:3.5.2-2
Distribution: unstable
Urgency: medium
Maintainer: LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>
Changed-By: Sylvestre Ledru <sylvestre@debian.org>
Description:
clang-3.5 - C, C++ and Objective-C compiler (LLVM based)
clang-3.5-doc - C, C++ and Objective-C compiler (LLVM based) - Documentation
clang-3.5-examples - Clang examples
clang-format-3.5 - Tool to format C/C++/Obj-C code
clang-modernize-3.5 - Tool to convert C++98 and C++03 code to C++11
cpp11-migrate-3.5 - Tool to convert C++98 and C++03 code to C++11
libclang-3.5-dev - clang library - Development package
libclang-common-3.5-dev - clang library - Common development package
libclang1-3.5 - C interface to the clang library
libclang1-3.5-dbg - clang library
liblldb-3.5 - Next generation, high-performance debugger, library
liblldb-3.5-dev - Next generation, high-performance debugger - Header files
libllvm-3.5-ocaml-dev - Modular compiler and toolchain technologies, OCaml bindings
libllvm3.5-dbg - Modular compiler and toolchain technologies, debugging libraries
libllvm3.5v5 - Modular compiler and toolchain technologies, runtime library
lldb-3.5 - Next generation, high-performance debugger
lldb-3.5-dev - transitional dummy package to liblldb-3.5-dev
llvm-3.5 - Modular compiler and toolchain technologies
llvm-3.5-dev - Modular compiler and toolchain technologies, libraries and header
llvm-3.5-doc - Modular compiler and toolchain technologies, documentation
llvm-3.5-examples - Modular compiler and toolchain technologies, examples
llvm-3.5-runtime - Modular compiler and toolchain technologies, IR interpreter
llvm-3.5-tools - Modular compiler and toolchain technologies, tools
python-clang-3.5 - Clang Python Bindings
python-lldb-3.5 - Next generation, high-performance debugger, python lib
Closes: 778392 781197 794935
Changes:
llvm-toolchain-3.5 (1:3.5.2-2) unstable; urgency=medium
.
[ Sylvestre Ledru ]
* Fix the CMake build. thanks to Paweł Bylica for the fix.
Fix upstream bug #23352
* Remove old remove-ice-rust*.diff patches.
* bug-24472.diff: Silent some aarch64/arm64 tests which started to fail
probably during the gcc 5 migration
.
[ Gianfranco Costamagna ]
* Really bump Standard-Version
* d/rules: fix gcc-5 detection, since gcc-5.2
doesn't provide a g++-5.2 binary (but it is called
g++-5)
(copying the patch from llvm-3.7)
.
[ Sebastian Andrzej Siewior ]
* debian/patches/0001-fix-ftbs-with-gcc-5.patch:
- Fix gcc-5 related build failure (Closes: #781197)
.
[ Steven Chamberlain ]
* debian/patches/bug783205.patch
- make llvm find s390x standard libraries by looking in
the correct directory.
.
[ Matthias Klose ]
* Rename libllvm3.5 to libllvm3.5v5 for libstdc++6 transition.
(Closes: #794935)
* Add Conflict/Replaces to the old library package.
.
[ Luciano Bello ]
* debian/patches/CVE-2015-2305.patch
(Closes: #778392)
Checksums-Sha1:
a2968586d635a90c7eb3516e0fb4381c72e59aef 5864 llvm-toolchain-3.5_3.5.2-2.dsc
9a9e26032730454cb832eb4edd18d797632ef308 53408 llvm-toolchain-3.5_3.5.2-2.debian.tar.xz
ec5fa926ed41b187e4f2d371f49f11ea85cb5ed3 509470 clang-3.5-doc_3.5.2-2_all.deb
1243cef7591c1b779c80d36e4f0019a182ce3782 22238 clang-3.5-examples_3.5.2-2_amd64.deb
49ba41dd03963358b46fed5d1eeab45ea1e1518e 19786256 clang-3.5_3.5.2-2_amd64.deb
b1ab59a85087e5a1ba5ae2fc465e12c4dcefa337 385060 clang-format-3.5_3.5.2-2_amd64.deb
13226f17b88fa3a9bec1d4d14e2eac3b353356a6 3348042 clang-modernize-3.5_3.5.2-2_amd64.deb
dc189857c88a23fc561782d97eb8967a99194a67 16366 cpp11-migrate-3.5_3.5.2-2_amd64.deb
823593cd333cf2c49385830c1f79c04046181738 10343576 libclang-3.5-dev_3.5.2-2_amd64.deb
9fa6dcea6a2e1e7bc68052f678eb25eabee2d11e 679524 libclang-common-3.5-dev_3.5.2-2_amd64.deb
48a63f85c5c7a0d910bb8674c1abcda51890eb5e 122413034 libclang1-3.5-dbg_3.5.2-2_amd64.deb
3971272af10af67f4ed0662cbd24c9fe642de16a 3497866 libclang1-3.5_3.5.2-2_amd64.deb
57bc0f465a3cfff1b6783679e4319496044ae21b 3780666 liblldb-3.5-dev_3.5.2-2_amd64.deb
e1d0160bd4d94e900a7fc7d9ca48bc9bf7aa57e4 6712388 liblldb-3.5_3.5.2-2_amd64.deb
a2ecece13415c7bb5e266f4a7ded5dd459ef600a 292962 libllvm-3.5-ocaml-dev_3.5.2-2_amd64.deb
7f8c777a6e5cfae2967fbb78a3022066548dd5bf 156236500 libllvm3.5-dbg_3.5.2-2_amd64.deb
da43082e43124c5fefee67d2e986388f54a6eb04 7489248 libllvm3.5v5_3.5.2-2_amd64.deb
d240f5562bd5cf684ee6cc0864f477cf6628f0da 16094 lldb-3.5-dev_3.5.2-2_all.deb
e5e2103ae91461730efac732065d2c6f841a5d76 226182 lldb-3.5_3.5.2-2_amd64.deb
eeed18579a2b52088e2318d9900d533a18d74a3c 11669222 llvm-3.5-dev_3.5.2-2_amd64.deb
d3abd5c029f31ca339656024570acefab52e435b 1448670 llvm-3.5-doc_3.5.2-2_all.deb
da33c34ba7462d886afba52a03156ed3e84e10e4 181626 llvm-3.5-examples_3.5.2-2_all.deb
55456855e105622253ab7c670b29e6a1c14b0cce 53042 llvm-3.5-runtime_3.5.2-2_amd64.deb
d69b753d80ac5f486ade2518df9e89b4d24d1410 153452 llvm-3.5-tools_3.5.2-2_amd64.deb
8c3759192ace2aea5d60c28cba2f9286406e1001 1102304 llvm-3.5_3.5.2-2_amd64.deb
177d9f5e164567ca7ad924fce8c3b336c4104598 37954 python-clang-3.5_3.5.2-2_amd64.deb
94ed0b80f02fbb1a92f64d025aa7940482b19ee7 92458 python-lldb-3.5_3.5.2-2_amd64.deb
Checksums-Sha256:
757630716aa45212ff6ddf63b105b720c330b6110706c0dcb628e2a9bf9c8610 5864 llvm-toolchain-3.5_3.5.2-2.dsc
d550ded314cd5ff75615b70686cb495a5e115df431ed1eac457ee4788b23c591 53408 llvm-toolchain-3.5_3.5.2-2.debian.tar.xz
b909184a7c5a7180180e30b5225d8a5d71e8362c7b4e32d4929939f44968ba36 509470 clang-3.5-doc_3.5.2-2_all.deb
8866a77020dbfeba12e8e68bf54d02343bdc46d78a5aa6da0f9daa1d686748fe 22238 clang-3.5-examples_3.5.2-2_amd64.deb
e34b4dc7c315b81b645f19cf35ab129fbd56144a58eece0a3ff8fb323a350080 19786256 clang-3.5_3.5.2-2_amd64.deb
5a1cb0ec32cd3e27fcbcabdc2a98ae51574a1fb2c88d073c5bc34d7b6f7abae7 385060 clang-format-3.5_3.5.2-2_amd64.deb
e85c1e275712fdf1938f315ed376d3ee35c8bd4854c23039b3506108c9b36578 3348042 clang-modernize-3.5_3.5.2-2_amd64.deb
faa5779127d96258c6393e93e5382e277022b20353659899b597bda131a97d3e 16366 cpp11-migrate-3.5_3.5.2-2_amd64.deb
40b4440841481f8af98d274ed79c2446e555c92d060abef4c276ec4814da0f0d 10343576 libclang-3.5-dev_3.5.2-2_amd64.deb
41631aff41309195826f5f773b93999563d160100c6800926cc96aead612f9c9 679524 libclang-common-3.5-dev_3.5.2-2_amd64.deb
f8f3be4746b3eead102a2d8ec3fc37cf5e9c1f4b863004d9ff381625c019320f 122413034 libclang1-3.5-dbg_3.5.2-2_amd64.deb
ee393be173096a6942dfc85beeb41e85ae0276f875e8372a5bae5f6c59c02333 3497866 libclang1-3.5_3.5.2-2_amd64.deb
0ba7b72a9fcdb80bb6521af46ead224db680cfea63b3a0b4e068b806f0669672 3780666 liblldb-3.5-dev_3.5.2-2_amd64.deb
72ec1d22b26be7df89a778b15880272a26ad8c8fc82b0f221003fab22c602307 6712388 liblldb-3.5_3.5.2-2_amd64.deb
437d4cdc620e740898a87b987ad4ed2e29964891eaa56cd316e3d001ca44cc7c 292962 libllvm-3.5-ocaml-dev_3.5.2-2_amd64.deb
88629962c474b57109dcce41795b45ffcff3e722a564110a3c10178a8172c9b7 156236500 libllvm3.5-dbg_3.5.2-2_amd64.deb
0f8a7fe7f04e1165dd9dda9cf74d522415bcbd94f132ba8032f5b7a6da1647fe 7489248 libllvm3.5v5_3.5.2-2_amd64.deb
37784b7bf58aa7892482fdc9c46d8403ccc4338f3e3d71b3f4e81c98e6766796 16094 lldb-3.5-dev_3.5.2-2_all.deb
bdc1d470c777f5e5fedf54d23012bbc2d3b6f54a3f4503d841ba7fb291e68771 226182 lldb-3.5_3.5.2-2_amd64.deb
eefa1f5bbeef9e7c7b3b3178d66805c920ba43a1ef7124a22d487440b9a6883f 11669222 llvm-3.5-dev_3.5.2-2_amd64.deb
54214c0d7ba421f7826009530cb03690f59068788fd403d6f3fd9bd90c0dd06c 1448670 llvm-3.5-doc_3.5.2-2_all.deb
34e325ea0bed3f561933c3d88d34a5a4e16392c69d8c25b73df18f8a180c94fd 181626 llvm-3.5-examples_3.5.2-2_all.deb
f6887923b4f61397c3cfa48a76721df409c8ac347eeb85a841a4b648f4caaa27 53042 llvm-3.5-runtime_3.5.2-2_amd64.deb
baa945fa8b6a83378f67890ea5f4ed367b607a797c01275c888277211161d881 153452 llvm-3.5-tools_3.5.2-2_amd64.deb
a2a1259bfee42422e107942ae71ff1bed47472598a4f895da28edd861f97e9fd 1102304 llvm-3.5_3.5.2-2_amd64.deb
408087c96ff598d36ea9bbc5ec92bcb892e8f6fd7ec37b14a8c5869d1a12829f 37954 python-clang-3.5_3.5.2-2_amd64.deb
70e7336be8a8438235e671edfeb7a1cd40c1692ff428b646f8c20dad20bc6858 92458 python-lldb-3.5_3.5.2-2_amd64.deb
Files:
9446093c87aa4c41624f0ee1127cfaca 5864 devel optional llvm-toolchain-3.5_3.5.2-2.dsc
5616c6d376125965682cae154eb63881 53408 devel optional llvm-toolchain-3.5_3.5.2-2.debian.tar.xz
082d5427e2d40d024d9e4fad03665a10 509470 doc optional clang-3.5-doc_3.5.2-2_all.deb
4ca413c68c4c65f4a31ab98c78338ef8 22238 doc optional clang-3.5-examples_3.5.2-2_amd64.deb
0b96545a45e01024c1fb5bfb32d57dce 19786256 devel optional clang-3.5_3.5.2-2_amd64.deb
2c4992821ee8c53e41e41044ea6eabf8 385060 devel optional clang-format-3.5_3.5.2-2_amd64.deb
027f3cbf895f52703aae6a7b5cecb4b4 3348042 devel optional clang-modernize-3.5_3.5.2-2_amd64.deb
11d81031eea4adc8b1ed8dd65b6c6f41 16366 devel optional cpp11-migrate-3.5_3.5.2-2_amd64.deb
55f5d0936a27c0b59f09c27c0f059cd6 10343576 libdevel optional libclang-3.5-dev_3.5.2-2_amd64.deb
47101ca33a05a68827208ebaf6797dcf 679524 libdevel optional libclang-common-3.5-dev_3.5.2-2_amd64.deb
99144750e584f8f803a7f3258465ab2e 122413034 debug extra libclang1-3.5-dbg_3.5.2-2_amd64.deb
cc606cc8a8cb800e4d3967406a992536 3497866 devel optional libclang1-3.5_3.5.2-2_amd64.deb
8a6d5c794cb4ac694d9014b3c6bbde71 3780666 libdevel optional liblldb-3.5-dev_3.5.2-2_amd64.deb
4eea96784cfb578caab2d575239ea627 6712388 libs optional liblldb-3.5_3.5.2-2_amd64.deb
5d9df599dcd1bcae14ee8d50841fc052 292962 ocaml optional libllvm-3.5-ocaml-dev_3.5.2-2_amd64.deb
5f44240a431622c8d55b6330e821d611 156236500 debug extra libllvm3.5-dbg_3.5.2-2_amd64.deb
a9346327d517c9fd4b99034f6e68b4be 7489248 libs optional libllvm3.5v5_3.5.2-2_amd64.deb
ea4145f4b64321ddcea7e9ef394bfeb1 16094 oldlibs optional lldb-3.5-dev_3.5.2-2_all.deb
88231aa15099407f1be88ac79a79391e 226182 devel optional lldb-3.5_3.5.2-2_amd64.deb
f9705e6e962dc7ac6f81e70671535193 11669222 devel optional llvm-3.5-dev_3.5.2-2_amd64.deb
f25608057925dd31b3bb2163c521d3ea 1448670 doc optional llvm-3.5-doc_3.5.2-2_all.deb
11a65eb139f6ff9834998df6fa44b7ea 181626 doc optional llvm-3.5-examples_3.5.2-2_all.deb
8e76e686a7cd0141ade0fefc5d04b488 53042 devel optional llvm-3.5-runtime_3.5.2-2_amd64.deb
8d2cccf8fc133c1eb46191420c1c6ccf 153452 devel optional llvm-3.5-tools_3.5.2-2_amd64.deb
9677f3a8b3e5cea15dabec68eab55b18 1102304 devel optional llvm-3.5_3.5.2-2_amd64.deb
d613178833e37735f75c392392501710 37954 python optional python-clang-3.5_3.5.2-2_amd64.deb
372d3b6b92ccc54ebbf21ffeeffc1300 92458 python optional python-lldb-3.5_3.5.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJV0eciAAoJEPNPCXROn13ZA9wQAIJe/UmOzkBH5vvxIcGgowuI
sKvFystYErNvPONwRpIc6+Tn0l1p+8PmGMTSlfb6Ke/faK6bU/jjjxkWHrRMOxUo
LipDGfpwVZWpfw+/t6VlZl1PVEtmxsCkICCTpdKsv+uqCuTX8KNekRG3KQHG4BzV
TUfuQJBAT5mGSPz4zFyFTm6C0qnhdUdUP0mOhrHtb3fw0MnRHju4oY1oqSXggk0M
rwsY56JLwxKsflEBgdvheGzFKY7AmiSIYGDsiOR6DqGd1OudB9xYwbl7VJHZpYGo
eDavI4fWNRQdjuyhrQLo7nl+D8J3yIfQipLx5wg0vskL6j6FSjiTCqk3SbtLSrCo
q4GtsNYsDcLG7xshY7kJS6bsD5uMbqTSBL2pPJBpoJSz5Uq9umppvocxBx8llglR
ZMWBH8/cpI3MJPhKpQ8IzPIvFL67Kg5mYQZwTo7U6WfsVr/RucqSUT3pqAz+pqF4
EjYfntKHgEQRbgqUrkIUbQpy+MaaNzVV8Y//9oxopuqSC2dbhqePTNfvu7PzjCCa
nVZtulnyxyuIArEei/xU2SAlq8w9+ftXDCBB4S8UAhu+bIGFE7aQztPb3t3UAaht
pU1xGU04dj2zrgEqvhlPbL4TsCP8gcm7Ik+P0U9uJs8kOUhqDypoGoXEIV1y7M3R
XL28gKxzYyO3T0zFgE13
=NpCD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 21 Oct 2015 07:29:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 03:45:54 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.