Debian Bug report logs - #778397
librcsb-core-wrapper: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

version graph

Package: librcsb-core-wrapper; Maintainer for librcsb-core-wrapper is Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>;

Reported by: Luciano Bello <luciano@debian.org>

Date: Sat, 14 Feb 2015 14:30:22 UTC

Severity: important

Tags: patch, security

Fixed in version librcsb-core-wrapper/1.005-3

Done: Andreas Tille <tille@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#778397; Package librcsb-core-wrapper. (Sat, 14 Feb 2015 14:30:27 GMT) (full text, mbox, link).

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. (Sat, 14 Feb 2015 14:30:27 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Sat, 14 Feb 2015 15:29:37 +0100
Package: librcsb-core-wrapper
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#778397; Package librcsb-core-wrapper. (Sat, 14 Feb 2015 17:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Tille <tille@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. (Sat, 14 Feb 2015 17:09:04 GMT) (full text, mbox, link).

Message #10 received at 778397@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>
To: Luciano Bello <luciano@debian.org>, 778397@bugs.debian.org
Cc: sw-help@rcsb.rutgers.edu, Vladimir Guranovic <vladimir@rcsb.rutgers.edu>
Subject: Re: Bug#778397: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Sat, 14 Feb 2015 18:06:33 +0100
Hi Luciano,

I can confirm that the problem affects testing and unstable.  The
package is not in stable.  I have commited a patch in SVN:

  https://anonscm.debian.org/viewvc/debian-med/trunk/packages/rcsb-core-wrapper/trunk/debian/patches/regcomp_cert_fix.patch?view=markup

Upstream is in CC of this mail so I'll set "Forwarded:" to the patch.  I
can upload in less than 24 hours if you acknowledge.

Kind regards

     Andreas.

On Sat, Feb 14, 2015 at 03:29:37PM +0100, Luciano Bello wrote:
> Package: librcsb-core-wrapper
> Severity: important
> Tags: security patch
> 
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.
> 
> The patch is available here:
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
> 
> Please, can you confirm if the binary packages are affected? Are stable and 
> testing affected?
> 
> More information, here:
> http://www.kb.cert.org/vuls/id/695940
> https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
> 
> A CVE id has been requested already and the report will be updated with it 
> eventually.
> 
> Cheers, luciano
> 
> _______________________________________________
> Debian-med-packaging mailing list
> Debian-med-packaging@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-med-packaging
> 

-- 
http://fam-tille.de

Added tag(s) pending. Request was from Andreas Tille <tille@debian.org> to control@bugs.debian.org. (Sat, 14 Feb 2015 17:33:22 GMT) (full text, mbox, link).

Reply sent to Andreas Tille <tille@debian.org>:
You have taken responsibility. (Sun, 15 Feb 2015 15:36:09 GMT) (full text, mbox, link).

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Sun, 15 Feb 2015 15:36:09 GMT) (full text, mbox, link).

Message #17 received at 778397-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>
To: 778397-close@bugs.debian.org
Subject: Bug#778397: fixed in librcsb-core-wrapper 1.005-3
Date: Sun, 15 Feb 2015 15:35:05 +0000
Source: librcsb-core-wrapper
Source-Version: 1.005-3

We believe that the bug you reported is fixed in the latest version of
librcsb-core-wrapper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778397@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated librcsb-core-wrapper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Feb 2015 17:56:49 +0100
Source: librcsb-core-wrapper
Binary: librcsb-core-wrapper0 librcsb-core-wrapper0-dev librcsb-core-wrapper-doc librcsb-core-wrapper0-dbg python-corepywrap python-corepywrap-dbg
Architecture: source amd64 all
Version: 1.005-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Description:
 librcsb-core-wrapper-doc - documentation for librcsb-core-wrapper0
 librcsb-core-wrapper0 - C++ library providing OO API to information in mmCIF format
 librcsb-core-wrapper0-dbg - debugging symbols for librcsb-core-wrapper0
 librcsb-core-wrapper0-dev - development files for librcsb-core-wrapper0
 python-corepywrap - library that exports C++ mmCIF accessors to Python
 python-corepywrap-dbg - library that exports C++ mmCIF accessors to Python (debug version
Closes: 778397
Changes:
 librcsb-core-wrapper (1.005-3) unstable; urgency=medium
 .
   * Patch for Henry Spencer regular expressions (regex) library contains
     a heap overflow vulnerability
     Closes: #778397
Checksums-Sha1:
 5240f9038280d7b27b5ab461c11839944a314ac1 2630 librcsb-core-wrapper_1.005-3.dsc
 fc21a52f48e3fc766f2bf446a665396626acea1c 18976 librcsb-core-wrapper_1.005-3.debian.tar.xz
 5ce5df339435a9ed444da5df44d13ef1b3db086e 301588 librcsb-core-wrapper0_1.005-3_amd64.deb
 5f032d3326c08ef3f4c4d855e3abef11ba4c5e68 360108 librcsb-core-wrapper0-dev_1.005-3_amd64.deb
 aeda98006fdf31ffef3e6632ca257ef01972980d 10028354 librcsb-core-wrapper-doc_1.005-3_all.deb
 bd0ded7b3c3d39d45c496878bd9096bde17710f7 8072100 librcsb-core-wrapper0-dbg_1.005-3_amd64.deb
 fb99dc1390f96d34fd6dcb5642425b80462cf6fd 204152 python-corepywrap_1.005-3_amd64.deb
 64ec8ef1fff8c7bc0e07594661cf8b1e41bb1ee5 213360 python-corepywrap-dbg_1.005-3_amd64.deb
Checksums-Sha256:
 0e8998a67b1884cd61029c82eac4c8bc3d2ea5a1d2313102dffd7790d45aa19e 2630 librcsb-core-wrapper_1.005-3.dsc
 2a6fbd414be050df2f60f1978863b6316a06e84a9db365f35e7503463f6f3dd8 18976 librcsb-core-wrapper_1.005-3.debian.tar.xz
 e51160053ffa9348d316e1a37620a64f37b94fa0c38f989715eda99f38d79586 301588 librcsb-core-wrapper0_1.005-3_amd64.deb
 4e9e255923e1e652af84237434c7140f20ca65f291cc8cdca183dd72041af1cb 360108 librcsb-core-wrapper0-dev_1.005-3_amd64.deb
 1168e38bffd9f4686bd87c44410a9a3577f498821b71ed565ef73746c53f8f97 10028354 librcsb-core-wrapper-doc_1.005-3_all.deb
 440ee2308bfe2d8b1b5a32f786ffa968dae121463d449eda11c3ce578ee3e942 8072100 librcsb-core-wrapper0-dbg_1.005-3_amd64.deb
 d63eea89c025011a0762f9bd1fe38d04e500cc4a558f66c8b863dc95bebd7821 204152 python-corepywrap_1.005-3_amd64.deb
 aa2818f9161d3a7e1559625ecc7c44b645e046e93a10d11b4140b6d3e7f5d8ab 213360 python-corepywrap-dbg_1.005-3_amd64.deb
Files:
 aed844750c8f459df03143cbb657c45b 2630 libs optional librcsb-core-wrapper_1.005-3.dsc
 89a0d01d98855e70bcab2ea98b6edd56 18976 libs optional librcsb-core-wrapper_1.005-3.debian.tar.xz
 85af7ef9fe031b8a0eb55a88938784be 301588 libs optional librcsb-core-wrapper0_1.005-3_amd64.deb
 8d238afb1ee2e334aaee6df7d89430db 360108 libdevel optional librcsb-core-wrapper0-dev_1.005-3_amd64.deb
 e3438bb86992ddd0317cc52197a73248 10028354 doc optional librcsb-core-wrapper-doc_1.005-3_all.deb
 6c889f894e9dd9bc11f14b90e03c1f25 8072100 debug extra librcsb-core-wrapper0-dbg_1.005-3_amd64.deb
 578d5371e5b9aa3ee41c29665f746d66 204152 python extra python-corepywrap_1.005-3_amd64.deb
 527da0559004c399c82f7cf87fc262fa 213360 debug extra python-corepywrap-dbg_1.005-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJU34T1AAoJEFeKBJTRxkbRwn8P/0b+EZuEpIycnYgkwgQ8OvEk
9+5O95ZwlyCiSWB/LWOaO5SO2bkwFDE14R6gIlW3NuMUnWfutYWXyFS2Fac1GRBc
L6/o4JGm07BYFirljczR3Ox9nP6jw7dtsSXxtFo5S4/xXs0Y2WHIpidnV8opP9PE
XWyvxiwcbXlL9XpyqdXRfTYC16ku+hKzBB3GScCqLxQG6bkPvkZI0vpnXtHrjiTw
yqO7CL/KuJJou3oGdOdWpdnQ+UCTc0NK4mlCBuvs2ME9+0tJbgOfhMymkhcaAVUF
nP+vMSvnxEvHuRfjwIC3bwXqmUf9vbVSkKuGaSGXIU8w2MVs4BiIggW9t2PFH4nl
j8OrsIJs1Shy+QR9s+jaiMlTT9iORqj5moenUfNAC1jNC8EFa2EIM/3cMOLf/wIi
Id54T4YpRNg6GhbEuwLgD4Aklnw93QVcwiJ/tegcy2E3cf9MlDmjaKPW/avumWE7
5bJEnpJsHtJ1Xi+/W4ytw2Vfo6p6Y/MoEzEUvbcEjFMWsPgL5q1OoUthCwJENqJD
L+iTtMUjDridqf+NG1v2kGjr7XeXpc3wLAINAk6cwfmFbkcJg02pfpAhnTGzq9/g
oZktruKey9k4wXhAg6jmdejpuykzgo+yt1CnlY2RXg/RQLUczL0uLvl3rzR503//
8JaYf1vOIqmq/BAusDQO
=xWs/
-----END PGP SIGNATURE-----

Changed Bug title to 'librcsb-core-wrapper: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' from 'Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Mar 2015 11:57:10 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 14 Apr 2015 07:35:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:46:17 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.