Debian Bug report logs -
#778399
z88dk: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Reported by: Luciano Bello <luciano@debian.org>
Date: Sat, 14 Feb 2015 14:36:01 UTC
Severity: important
Tags: patch, security
Done: Moritz Muehlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Krystian Wlosek <kwlosek@gmail.com>:
Bug#778399; Package z88dk.
(Sat, 14 Feb 2015 14:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Krystian Wlosek <kwlosek@gmail.com>.
(Sat, 14 Feb 2015 14:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: z88dk
Severity: important
Tags: security patch
The security team received a report from the CERT Coordination Center that the
Henry Spencer regular expressions (regex) library contains a heap overflow
vulnerability. It looks like this package includes the affected code at that's
the reason of this bug report.
The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
Please, can you confirm if the binary packages are affected? Are stable and
testing affected?
More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
A CVE id has been requested already and the report will be updated with it
eventually.
Cheers, luciano
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility.
(Thu, 19 Feb 2015 15:39:14 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Thu, 19 Feb 2015 15:39:14 GMT) (full text, mbox, link).
Message #10 received at 778399-done@bugs.debian.org (full text, mbox, reply):
On Sat, Feb 14, 2015 at 03:33:21PM +0100, Luciano Bello wrote:
> Package: z88dk
> Severity: important
> Tags: security patch
>
> The security team received a report from the CERT Coordination Center that the
> Henry Spencer regular expressions (regex) library contains a heap overflow
> vulnerability. It looks like this package includes the affected code at that's
> the reason of this bug report.
This is only used when building on Windows.
Cheers,
Moritz
Changed Bug title to 'z88dk: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' from 'Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 Mar 2015 11:57:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 Apr 2015 07:35:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 03:46:13 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.