Debian Bug report logs - #778409
vigor: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Date: Sat, 14 Feb 2015 15:40:31 +0100

Package: vigor
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

Message #10 received at 778409@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Luciano Bello <luciano@debian.org>, 778409@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#778409: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Date: Sat, 14 Feb 2015 22:09:09 +0000

On Sat, Feb 14, 2015 at 03:40:31PM +0100, Luciano Bello wrote:
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.
> 
> The patch is available here:
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
> 
> Please, can you confirm if the binary packages are affected? Are stable and 
> testing affected?

Yes to all of these (so CC team@security).  I've uploaded 0.016-24 to
unstable to correct this and will file an unblock request in a moment.
May I upload this patch to wheezy-security?

diff --git a/debian/changelog b/debian/changelog
index 6cf06c7..76576fd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+vigor (0.016-19+deb7u1) wheezy-security; urgency=high
+
+  * Use libc's regex routines rather than the bundled ones, to avoid needing
+    to apply security patches independently (closes: #778409).
+
+ -- Colin Watson <cjwatson@debian.org>  Sat, 14 Feb 2015 22:06:36 +0000
+
 vigor (0.016-19) unstable; urgency=low
 
   * Drop manual and not-very-useful 'debian/rules configure' target.
diff --git a/debian/rules b/debian/rules
index 28c3dda..eb30d7f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,7 +6,7 @@ export DEB_CPPFLAGS_MAINT_APPEND := -I/usr/include/tcl8.5
 	dh $@ --sourcedirectory=build
 
 override_dh_auto_configure:
-	dh_auto_configure -- --with-x --enable-db --enable-re
+	dh_auto_configure -- --with-x --enable-db
 
 override_dh_clean:
 	# This is in the upstream tarball, so shouldn't be removed.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #15 received at 778409-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 778409-close@bugs.debian.org

Subject: Bug#778409: fixed in vigor 0.016-24

Date: Sat, 14 Feb 2015 22:18:30 +0000

Source: vigor
Source-Version: 0.016-24

We believe that the bug you reported is fixed in the latest version of
vigor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778409@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated vigor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 Feb 2015 21:17:07 +0000
Source: vigor
Binary: vigor
Architecture: source
Version: 0.016-24
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 vigor      - nvi with the evil paperclip
Closes: 778409
Changes:
 vigor (0.016-24) unstable; urgency=medium
 .
   * Update Vcs-Browser URL for alioth cgit.
   * Use libc's regex routines rather than the bundled ones, to avoid needing
     to apply security patches independently (closes: #778409).
Checksums-Sha1:
 e4799582b85e9e48152695faa1d3329d21f078f8 1973 vigor_0.016-24.dsc
 9e98e3edd11098156589ed2df562169131d96b82 27828 vigor_0.016-24.debian.tar.xz
Checksums-Sha256:
 19d0e282645c2dfdc2449a68ce646dad8f9c40ce1cdf8d31af7e8308fa03e463 1973 vigor_0.016-24.dsc
 6d34bb78074cd2578859afc90634bcfb4514ce72561394fe62a6b536d714f284 27828 vigor_0.016-24.debian.tar.xz
Files:
 7458e39bc017875d7c67bda54af676e6 1973 editors extra vigor_0.016-24.dsc
 880afe1db94a5fd599bb7501c801591b 27828 editors extra vigor_0.016-24.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBVN/FaDk1h9l9hlALAQg/OQ//WL73jWOWVOYURGMkwi8W+o4IxRuYUsCs
dsQnNi9z/IJuZ9UU5UY1VpCDEFbVLYDdLDlNrCiSgWONBssfsMzmb+13so88JJY/
za74XR/xnW3skzYY9GrPTBRg+SZkGUpCskufxWjhD9RLCQKE8Q/iSctWiFvwjVtS
Msdh+slZ1txKMRLXdQEbxKElI6dItrvhXDe8j8pNVWCf9rpuOKgqsivEou9aWCal
24lNUy1pRaZNB5EYBLFpjh0ZiKB0lamd8TkcIN54CX6D89I5iGmsxvuTAvLGqo2P
SCZ5+jXgltzERmzpv1nUannmZ8cBbAXEAkE1g4hwDexxTLuOa9N8JYDiWVi3Twlq
4pD0pi2+eUq+C/M9y1x7BKh9ia6SdOnvquYSVmFhGfVrUlybm/Mk8ZBOaT5iZV6I
kfeSrsBtYBSgp/7dKqNkbm+TiRX+DPcapB7QnVm2wkzFoKDThAYl2q+LATjbmn+d
KcbfVaeFkyMLS+ZO91Wwim2h9quGBcMGo8uG4foqN+AloWPshbvmqRv9dDYyEIPk
wvAH+PFGSjh4EsMw9LPX7DpOcqYYqJrgNobwCchLiap0ifGpU3+4z9kH9/GyP+tc
ta6yA1qZOu2d6X+mZVogW8BWC1fpRqDm4ZmULhKFqYn23dm8zioXXZegerx7+3ZX
x4V1gbymkLY=
=fwyC
-----END PGP SIGNATURE-----

Message #20 received at 778409@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Colin Watson <cjwatson@debian.org>

Cc: 778409@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#778409: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Date: Sun, 15 Feb 2015 12:41:28 +0100

On Sat, Feb 14, 2015 at 10:09:09PM +0000, Colin Watson wrote:
> On Sat, Feb 14, 2015 at 03:40:31PM +0100, Luciano Bello wrote:
> > The security team received a report from the CERT Coordination Center that the 
> > Henry Spencer regular expressions (regex) library contains a heap overflow 
> > vulnerability. It looks like this package includes the affected code at that's 
> > the reason of this bug report.
> > 
> > The patch is available here:
> > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
> > 
> > Please, can you confirm if the binary packages are affected? Are stable and 
> > testing affected?
> 
> Yes to all of these (so CC team@security).  I've uploaded 0.016-24 to
> unstable to correct this and will file an unblock request in a moment.
> May I upload this patch to wheezy-security?

Hi Colin,
the security impact on vigor doesn't warrant a DSA. Could you fix this
through a stable point update instead?

Cheers,
        Moritz

Message #25 received at 778409-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 778409-close@bugs.debian.org

Subject: Bug#778409: fixed in vigor 0.016-19+deb7u1

Date: Sat, 21 Feb 2015 22:32:05 +0000

Source: vigor
Source-Version: 0.016-19+deb7u1

We believe that the bug you reported is fixed in the latest version of
vigor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778409@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated vigor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 21 Feb 2015 15:21:54 +0000
Source: vigor
Binary: vigor
Architecture: source amd64
Version: 0.016-19+deb7u1
Distribution: stable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 vigor      - nvi with the evil paperclip
Closes: 778409
Changes: 
 vigor (0.016-19+deb7u1) stable; urgency=medium
 .
   * Use libc's regex routines rather than the bundled ones, to avoid needing
     to apply security patches independently (closes: #778409).
Checksums-Sha1: 
 416ea6863a06984742c6b51ce0774537f18e2372 1863 vigor_0.016-19+deb7u1.dsc
 d3618ef9c46839229975c085470d16c17552cf95 51701 vigor_0.016-19+deb7u1.debian.tar.gz
 d0a107b433cd182cd5818b0ce86c43da9b33fdda 278116 vigor_0.016-19+deb7u1_amd64.deb
Checksums-Sha256: 
 5b22e4b03790c3754992d1f25b45388b5e819ac8d7b860fdf6b1202ac2763492 1863 vigor_0.016-19+deb7u1.dsc
 63baf92fc92ba26689b7eb5501156a2decbf0402e4389dac9511b25ec08ecc2a 51701 vigor_0.016-19+deb7u1.debian.tar.gz
 c2deb65c54ba44a8e43f867b45af47c4c39bdc0f1d4991cac321c12d4c5529f4 278116 vigor_0.016-19+deb7u1_amd64.deb
Files: 
 855f73b764899729bb6dce9b1bd2cf8a 1863 editors extra vigor_0.016-19+deb7u1.dsc
 4b9a896f3bb8622dcd8592c3491fb2c6 51701 editors extra vigor_0.016-19+deb7u1.debian.tar.gz
 9ace6841eba824ff29fd4f22603e34a5 278116 editors extra vigor_0.016-19+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBVOij/zk1h9l9hlALAQgeYA//eujgo70K1SAD05IktrMSJc4dfnCqeT9g
7eNXMC5Vqc5F+eHnnjIX43hIFlw1Xngm+3gq5r2xC3YgdVbcdgKkg236F8aXf7Ma
vnc/rg1Z8aY4gayQXC3twW3Z18agz83VoFHTHNkgdLByru1fXAJAiR05bq4bXNpH
cU+3JgSrY6CWpTsTWVvZTFCiqeXTiIsySj31ds5nYW+y/RBe1vwmPmwjYd/53Q5g
EGCWHNO6A50wk3sHD+X1Lku/aL1/V2bF891+FB09r0TZ+TpIRJtbXmUKJ7jtOo2r
YsQoiQ1pUyxnrEbFB+jeGJjJFxHrNX1oo9jSQHGTS5KWknzF3Qkf0czVlBuU1laY
nEF7fhTAR/JY+0YlpKF1StsgxhFCA92vXdD8FT6klYSRcnWBEFnzGLzLV4BhmPVL
aK+ObBq8VfkSqvOmENNYk/5Y7NmHratFz5HvGcRpKCqhUn6RfuTV19AU5uMWE0Ph
qfO4xY9X5NP8sEqYtNm3wrcODYFezRJ+gHFLLxoDcPcD7sUWyijEu21GO53Oztcv
wd6opQlUgJOz51oLjBCx+r73RA4jlt2CweXbsS7piWEiKcXu9WK4xXsV9U02vvyl
VnFzYhN+yauWZuSIdKC4d+V5zJ91OrzRs43l61pwMgjb/cy28QLqJP/sa62MQjEm
iDC9GypUTog=
=BzvS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.