Debian Bug report logs - #778403
vnc4: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Date: Sat, 14 Feb 2015 15:36:15 +0100

Package: vnc4
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

Message #10 received at 778403@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Luciano Bello <luciano@debian.org>, 778403@bugs.debian.org, 778403-done@bugs.debian.org

Subject: Re: Bug#778403: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Date: Tue, 24 Feb 2015 23:24:25 +0100

[Message part 1 (text/plain, inline)]

Hi Luciano

Thanks for reporting and sorry for not answering until today.

It does not look like it is a real issue for vnc after some analysis.

From what I can see in the source code (used grep to find all occurrences)
it looks like regcomp is only used when parsing the x server configuration
file to see what modules to load.

This means that the person having the power to edit the configuration file
can potentially inject code that gives permission of the person starting
the x server (vnc server in this case).

The reason why this is not seen as an issue is that the configuration file
is typically owned by root or the person executing the x/vnc server program.
Root can typically do anything anyway, and the person starting the x/vnc
server already have the permissions for its own user.

There could be really rare cases when some unprivileged user create a
configuration file and then someone else use that configuration file to
start the vnc server, but in that case the configuration file have to be
pointed out explicitly and I see that as a really long shot.

Based on this I'll close this bug. Thanks. If you object, please let me
know.

// Ola

On Sat, Feb 14, 2015 at 3:36 PM, Luciano Bello <luciano@debian.org> wrote:

> Package: vnc4
> Severity: important
> Tags: security patch
>
> The security team received a report from the CERT Coordination Center that
> the
> Henry Spencer regular expressions (regex) library contains a heap overflow
> vulnerability. It looks like this package includes the affected code at
> that's
> the reason of this bug report.
>
> The patch is available here:
>
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
>
> Please, can you confirm if the binary packages are affected? Are stable and
> testing affected?
>
> More information, here:
> http://www.kb.cert.org/vuls/id/695940
>
> https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
>
> A CVE id has been requested already and the report will be updated with it
> eventually.
>
> Cheers, luciano
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Annebergsslingan 37        \
|  opal@debian.org                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #20 received at 778403@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: Ola Lundqvist <ola@inguza.com>

Cc: 778403@bugs.debian.org

Subject: Re: Bug#778403: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Date: Wed, 25 Feb 2015 13:23:28 +0100

On Tuesday 24 February 2015 23.24.25 Ola Lundqvist wrote:
> There could be really rare cases when some unprivileged user create a
> configuration file and then someone else use that configuration file to
> start the vnc server, but in that case the configuration file have to be
> pointed out explicitly and I see that as a really long shot.
> 
> Based on this I'll close this bug. Thanks. If you object, please let me
> know.

Thanks for analizing it.

I agree it is a minor bug, but it is still a bug. What about reopen it, reduce 
the severity, and notify upstream? The patch is quite straight forward to 
implement. You can rename it to reflect better the effect.

Cheers, luciano

Message #25 received at 778403@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Luciano Bello <luciano@debian.org>

Cc: 778403@bugs.debian.org

Subject: Re: Bug#778403: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Date: Wed, 25 Feb 2015 19:17:18 +0100

[Message part 1 (text/plain, inline)]

Hi

Yes you can reopen the bug with lower severity (normal or minor) if you
like.

Upstream has been inactive since 2004 or so.

/ Ola

Inguza Technology AB
Sent from a phone
Den 25 feb 2015 13:23 skrev "Luciano Bello" <luciano@debian.org>:

> On Tuesday 24 February 2015 23.24.25 Ola Lundqvist wrote:
> > There could be really rare cases when some unprivileged user create a
> > configuration file and then someone else use that configuration file to
> > start the vnc server, but in that case the configuration file have to be
> > pointed out explicitly and I see that as a really long shot.
> >
> > Based on this I'll close this bug. Thanks. If you object, please let me
> > know.
>
> Thanks for analizing it.
>
> I agree it is a minor bug, but it is still a bug. What about reopen it,
> reduce
> the severity, and notify upstream? The patch is quite straight forward to
> implement. You can rename it to reflect better the effect.
>
> Cheers, luciano
>

[Message part 2 (text/html, inline)]

Message #36 received at 778403-done@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: 778403-done@bugs.debian.org, 684255-done@bugs.debian.org, 428788-done@bugs.debian.org, 816734-done@bugs.debian.org, 349525-done@bugs.debian.org

Subject: Closing bugs since they are on a transitional package

Date: Sat, 28 Dec 2019 14:38:35 +0100

[Message part 1 (text/plain, inline)]

Hi

The vnc4 source package has been a transitional package for two releases
now. Therefore I'm closing the bugs on this package, except the ones
related to the package removal.

The package has been requested for removal.

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.