Debian Bug report logs - #778408
newlib: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

version graph

Package: newlib; Maintainer for newlib is Agustin Henze <tin@debian.org>;

Reported by: Luciano Bello <luciano@debian.org>

Date: Sat, 14 Feb 2015 15:15:01 UTC

Severity: important

Tags: patch, security

Found in version 1.18.0-6.2

Fixed in version 2.0.0-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Agustin Henze <tin@debian.org>:
Bug#778408; Package newlib. (Sat, 14 Feb 2015 15:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Agustin Henze <tin@debian.org>. (Sat, 14 Feb 2015 15:15:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Sat, 14 Feb 2015 15:34:50 +0100
Package: newlib
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

Information forwarded to debian-bugs-dist@lists.debian.org, Agustin Henze <tin@debian.org>:
Bug#778408; Package newlib. (Fri, 27 Feb 2015 11:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Agustin Henze <tin@sluc.org.ar>:
Extra info received and forwarded to list. Copy sent to Agustin Henze <tin@debian.org>. (Fri, 27 Feb 2015 11:48:04 GMT) (full text, mbox, link).

Message #10 received at 778408@bugs.debian.org (full text, mbox, reply):

From: Agustin Henze <tin@sluc.org.ar>
To: Luciano Bello <luciano@debian.org>, 778408@bugs.debian.org
Subject: Re: Bug#778408: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Fri, 27 Feb 2015 08:45:59 -0300
[Message part 1 (text/plain, inline)]
Control: found -1 1.18.0-6.2

Hi luciano!

On 02/14/2015 11:34 AM, Luciano Bello wrote:
> Package: newlib
> Severity: important
> Tags: security patch
> 
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.
> 
> The patch is available here:
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
> 
> Please, can you confirm if the binary packages are affected? Are stable and 
> testing affected?

I confirm that stable is the only affected. That's because when I adopted this
package I removed libnewlib0 (binary built for i386 architecture) and newlib
only has regex implementation for posix. Right now on testing and unstable the
binaries built are only for arm architectures so we are ok here.

Also I have checked reverse dependencies and there is no any I remember now
that removing these binaries was too easy. I c&p dak's output below.
About the patch, I tried apply it on the version affected and it applied
smoothly and also built ok. I just modified (attached) the path to regcomp.c,
seems the exactly same implementation.
This is my first security bug so be patient with me :). How do we follow from here?


dak's output
============================================================
$ ssh mirror.ftp-master.debian.org "dak rm -s stable -Rnb libnewlib0"


Will remove the following packages from stable:





libnewlib0 | 1.18.0-6.2 | i386





Maintainer: Arthur Loiret <aloiret@debian.org>





------------------- Reason -------------------





----------------------------------------------





Checking reverse dependencies...


# Broken Depends:


newlib: libnewlib-dev [i386]





Dependency problem found.





$ ssh mirror.ftp-master.debian.org "dak rm -s stable -Rnb libnewlib-dev"


Will remove the following packages from stable:





libnewlib-dev | 1.18.0-6.2 | i386, powerpc





Maintainer: Arthur Loiret <aloiret@debian.org>





------------------- Reason -------------------





----------------------------------------------





Checking reverse dependencies...
No dependency problem found.
============================================================

Cheers,

-- 
TiN

[66_regcomp_security_fix.patch (text/x-patch, attachment)]

Marked as found in versions 1.18.0-6.2. Request was from Agustin Henze <tin@sluc.org.ar> to 778408-submit@bugs.debian.org. (Fri, 27 Feb 2015 11:48:04 GMT) (full text, mbox, link).

Changed Bug title to 'newlib: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' from 'Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Mar 2015 11:57:12 GMT) (full text, mbox, link).

Marked as fixed in versions 2.0.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 26 Feb 2022 10:15:03 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 26 Feb 2022 10:15:03 GMT) (full text, mbox, link).

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Sat, 26 Feb 2022 10:15:04 GMT) (full text, mbox, link).

Message sent on to Luciano Bello <luciano@debian.org>:
Bug#778408. (Sat, 26 Feb 2022 10:15:06 GMT) (full text, mbox, link).

Message #23 received at 778408-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 778408-submitter@bugs.debian.org
Subject: closing 778408
Date: Sat, 26 Feb 2022 11:11:02 +0100
close 778408 2.0.0-1
thanks

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Mar 2022 07:24:51 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:46:09 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.