Debian Bug report logs - #778404
ptlib: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Package: ptlib; Maintainer for ptlib is (unknown);

Reported by: Luciano Bello <luciano@debian.org>

Date: Sat, 14 Feb 2015 15:03:01 UTC

Severity: minor

Tags: fixed-upstream, patch, security

Done: Eugen Dedu <eugen.dedu@univ-fcomte.fr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#778404; Package ptlib. (Sat, 14 Feb 2015 15:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sat, 14 Feb 2015 15:03:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Sat, 14 Feb 2015 15:39:19 +0100
Package: ptlib
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#778404; Package ptlib. (Mon, 16 Feb 2015 16:27:13 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Mon, 16 Feb 2015 16:27:13 GMT) (full text, mbox, link).

Message #10 received at 778404@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 778404@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Mon, 16 Feb 2015 17:19:03 +0100
severity 778404 minor
thanks

On Sat, Feb 14, 2015 at 03:39:19PM +0100, Luciano Bello wrote:
> Package: ptlib
> Severity: important
> Tags: security patch
> 
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.

The configure script picks the glibc regex code, so this doesn't affect
the Debian binary packages. 

It would still be useful to report this upstream, so that they update
the local regex code (it could be that the local one is used when
building with a libc other than glibc)

Cheers,
        Moritz

Severity set to 'minor' from 'important' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Mon, 16 Feb 2015 16:27:21 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#778404; Package ptlib. (Mon, 16 Feb 2015 16:45:13 GMT) (full text, mbox, link).

Acknowledgement sent to Eugen Dedu <eugen.dedu@univ-fcomte.fr>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Mon, 16 Feb 2015 16:45:13 GMT) (full text, mbox, link).

Message #17 received at 778404@bugs.debian.org (full text, mbox, reply):

From: Eugen Dedu <eugen.dedu@univ-fcomte.fr>
To: Moritz Muehlenhoff <jmm@inutil.org>, 778404@bugs.debian.org
Subject: Re: Bug#778404: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Mon, 16 Feb 2015 17:33:42 +0100
On 16/02/15 17:19, Moritz Muehlenhoff wrote:
> severity 778404 minor
> thanks
>
> On Sat, Feb 14, 2015 at 03:39:19PM +0100, Luciano Bello wrote:
>> Package: ptlib
>> Severity: important
>> Tags: security patch
>>
>> The security team received a report from the CERT Coordination Center that the
>> Henry Spencer regular expressions (regex) library contains a heap overflow
>> vulnerability. It looks like this package includes the affected code at that's
>> the reason of this bug report.
>
> The configure script picks the glibc regex code, so this doesn't affect
> the Debian binary packages.

Thank you for the analysis.

> It would still be useful to report this upstream, so that they update
> the local regex code (it could be that the local one is used when
> building with a libc other than glibc)

I will do it, I have commit access.

-- 
Eugen

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#778404; Package ptlib. (Mon, 23 Feb 2015 13:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Eugen Dedu <eugen.dedu@univ-fcomte.fr>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Mon, 23 Feb 2015 13:21:05 GMT) (full text, mbox, link).

Message #22 received at 778404@bugs.debian.org (full text, mbox, reply):

From: Eugen Dedu <eugen.dedu@univ-fcomte.fr>
To: Moritz Muehlenhoff <jmm@inutil.org>, 778404@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#778404: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Mon, 23 Feb 2015 14:16:25 +0100
tag 778404 fixed-upstream
thanks

On 16/02/15 17:33, Eugen Dedu wrote:
> On 16/02/15 17:19, Moritz Muehlenhoff wrote:
>> severity 778404 minor
>> thanks
>>
>> On Sat, Feb 14, 2015 at 03:39:19PM +0100, Luciano Bello wrote:
>>> Package: ptlib
>>> Severity: important
>>> Tags: security patch
>>>
>>> The security team received a report from the CERT Coordination Center
>>> that the
>>> Henry Spencer regular expressions (regex) library contains a heap
>>> overflow
>>> vulnerability. It looks like this package includes the affected code
>>> at that's
>>> the reason of this bug report.
>>
>> The configure script picks the glibc regex code, so this doesn't affect
>> the Debian binary packages.
>
> Thank you for the analysis.
>
>> It would still be useful to report this upstream, so that they update
>> the local regex code (it could be that the local one is used when
>> building with a libc other than glibc)
>
> I will do it, I have commit access.

I have committed the patch upstream, thank you:

https://sourceforge.net/p/opalvoip/code/33381/
and
https://sourceforge.net/p/opalvoip/code/33382/

Shouldn't we close this bug in debian?

-- 
Eugen

Added tag(s) fixed-upstream. Request was from Eugen Dedu <eugen.dedu@univ-fcomte.fr> to control@bugs.debian.org. (Mon, 23 Feb 2015 13:27:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#778404; Package ptlib. (Tue, 24 Feb 2015 15:51:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Tue, 24 Feb 2015 15:51:07 GMT) (full text, mbox, link).

Message #29 received at 778404@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Eugen Dedu <eugen.dedu@univ-fcomte.fr>
Cc: 778404@bugs.debian.org
Subject: Re: Bug#778404: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Tue, 24 Feb 2015 16:42:17 +0100
On Mon, Feb 23, 2015 at 02:16:25PM +0100, Eugen Dedu wrote:
> tag 778404 fixed-upstream
> thanks
> 
> On 16/02/15 17:33, Eugen Dedu wrote:
> >On 16/02/15 17:19, Moritz Muehlenhoff wrote:
> >>severity 778404 minor
> >>thanks
> >>
> >>On Sat, Feb 14, 2015 at 03:39:19PM +0100, Luciano Bello wrote:
> >>>Package: ptlib
> >>>Severity: important
> >>>Tags: security patch
> >>>
> >>>The security team received a report from the CERT Coordination Center
> >>>that the
> >>>Henry Spencer regular expressions (regex) library contains a heap
> >>>overflow
> >>>vulnerability. It looks like this package includes the affected code
> >>>at that's
> >>>the reason of this bug report.
> >>
> >>The configure script picks the glibc regex code, so this doesn't affect
> >>the Debian binary packages.
> >
> >Thank you for the analysis.
> >
> >>It would still be useful to report this upstream, so that they update
> >>the local regex code (it could be that the local one is used when
> >>building with a libc other than glibc)
> >
> >I will do it, I have commit access.
> 
> I have committed the patch upstream, thank you:
> 
> https://sourceforge.net/p/opalvoip/code/33381/
> and
> https://sourceforge.net/p/opalvoip/code/33382/
> 
> Shouldn't we close this bug in debian?

You can either close it rightway and once the new upstream release
with above changes hits unstable.

Cheers,
        Moritz

Reply sent to Eugen Dedu <eugen.dedu@univ-fcomte.fr>:
You have taken responsibility. (Wed, 25 Feb 2015 11:09:26 GMT) (full text, mbox, link).

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Wed, 25 Feb 2015 11:09:26 GMT) (full text, mbox, link).

Message #34 received at 778404-done@bugs.debian.org (full text, mbox, reply):

From: Eugen Dedu <eugen.dedu@univ-fcomte.fr>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 778404-done@bugs.debian.org
Subject: Re: Bug#778404: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Wed, 25 Feb 2015 11:58:15 +0100
On 24/02/15 16:42, Moritz Muehlenhoff wrote:
> On Mon, Feb 23, 2015 at 02:16:25PM +0100, Eugen Dedu wrote:
>> tag 778404 fixed-upstream
>> thanks
>>
>> On 16/02/15 17:33, Eugen Dedu wrote:
>>> On 16/02/15 17:19, Moritz Muehlenhoff wrote:
>>>> severity 778404 minor
>>>> thanks
>>>>
>>>> On Sat, Feb 14, 2015 at 03:39:19PM +0100, Luciano Bello wrote:
>>>>> Package: ptlib
>>>>> Severity: important
>>>>> Tags: security patch
>>>>>
>>>>> The security team received a report from the CERT Coordination Center
>>>>> that the
>>>>> Henry Spencer regular expressions (regex) library contains a heap
>>>>> overflow
>>>>> vulnerability. It looks like this package includes the affected code
>>>>> at that's
>>>>> the reason of this bug report.
>>>>
>>>> The configure script picks the glibc regex code, so this doesn't affect
>>>> the Debian binary packages.
>>>
>>> Thank you for the analysis.
>>>
>>>> It would still be useful to report this upstream, so that they update
>>>> the local regex code (it could be that the local one is used when
>>>> building with a libc other than glibc)
>>>
>>> I will do it, I have commit access.
>>
>> I have committed the patch upstream, thank you:
>>
>> https://sourceforge.net/p/opalvoip/code/33381/
>> and
>> https://sourceforge.net/p/opalvoip/code/33382/
>>
>> Shouldn't we close this bug in debian?
>
> You can either close it rightway and once the new upstream release
> with above changes hits unstable.

Closing then.

-- 
Eugen

Changed Bug title to 'ptlib: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' from 'Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Mar 2015 11:57:18 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 14 Apr 2015 07:25:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:46:20 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.