Debian Bug report logs - #778394
llvm-toolchain-snapshot: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Package: llvm-toolchain-snapshot; Maintainer for llvm-toolchain-snapshot is LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>;

Reported by: Luciano Bello <luciano@debian.org>

Date: Sat, 14 Feb 2015 14:30:06 UTC

Severity: important

Tags: patch, security

Fixed in version 1:3.8~svn245286-1

Done: Sylvestre Ledru <sylvestre@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>:
Bug#778394; Package llvm-toolchain-snapshot. (Sat, 14 Feb 2015 14:30:11 GMT) (full text, mbox, link).

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>. (Sat, 14 Feb 2015 14:30:11 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: llvm-toolchain-snapshot
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

Changed Bug title to 'llvm-toolchain-snapshot: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' from 'Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Mar 2015 11:57:09 GMT) (full text, mbox, link).

Marked as fixed in versions 1:3.8~svn245286-1. Request was from Gianfranco Costamagna <costamagnagianfranco@yahoo.it> to control@bugs.debian.org. (Tue, 25 Aug 2015 08:09:06 GMT) (full text, mbox, link).

Reply sent to Sylvestre Ledru <sylvestre@debian.org>:
You have taken responsibility. (Sun, 04 Sep 2016 13:42:17 GMT) (full text, mbox, link).

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Sun, 04 Sep 2016 13:42:17 GMT) (full text, mbox, link).

Message #14 received at 778394-done@bugs.debian.org (full text, mbox, reply):

fixed a while ago

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 Nov 2016 07:33:14 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:46:31 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #778394 llvm-toolchain-snapshot: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Debian Bug report logs - #778394
llvm-toolchain-snapshot: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability