Debian Bug report logs - #778412
nvi: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

version graph

Package: nvi; Maintainer for nvi is Debian QA Group <packages@qa.debian.org>; Source for nvi is src:nvi (PTS, buildd, popcon).

Reported by: Luciano Bello <luciano@debian.org>

Date: Sat, 14 Feb 2015 16:00:01 UTC

Severity: important

Tags: patch, security

Fixed in version nvi/1.81.6-13

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#778412; Package nvi. (Sat, 14 Feb 2015 16:00:06 GMT) (full text, mbox, link).

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. (Sat, 14 Feb 2015 16:00:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Sat, 14 Feb 2015 15:41:21 +0100
Package: nvi
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#778412; Package nvi. (Mon, 16 Feb 2015 18:39:08 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Mon, 16 Feb 2015 18:39:08 GMT) (full text, mbox, link).

Message #10 received at 778412@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: 778412@bugs.debian.org
Subject: Re: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Mon, 16 Feb 2015 19:37:19 +0100
On Sat, Feb 14, 2015 at 03:41:21PM +0100, Luciano Bello wrote:
> Package: nvi
> Severity: important
> Tags: security patch
> 
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.
> 
> The patch is available here:
> http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Building with "--disable-re" should fix this.

Cheers,
        Moritz

Changed Bug title to 'nvi: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' from 'Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Mar 2015 11:57:21 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#778412; Package nvi. (Sat, 31 Dec 2016 04:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Sat, 31 Dec 2016 04:21:03 GMT) (full text, mbox, link).

Message #17 received at 778412@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, 778412@bugs.debian.org
Subject: Re: Bug#778412: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Date: Sat, 31 Dec 2016 04:18:14 +0000
On Mon, Feb 16, 2015 at 07:37:19PM +0100, Moritz Mühlenhoff wrote:
> On Sat, Feb 14, 2015 at 03:41:21PM +0100, Luciano Bello wrote:
> > The security team received a report from the CERT Coordination Center that the 
> > Henry Spencer regular expressions (regex) library contains a heap overflow 
> > vulnerability. It looks like this package includes the affected code at that's 
> > the reason of this bug report.
> > 
> > The patch is available here:
> > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
> 
> Building with "--disable-re" should fix this.

Regrettably not in this case: nvi uses the BSD-specific REG_NOSPEC flag,
so it doesn't build with glibc's regex library.  I'm just applying the
patch instead.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Sat, 31 Dec 2016 04:36:03 GMT) (full text, mbox, link).

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Sat, 31 Dec 2016 04:36:03 GMT) (full text, mbox, link).

Message #22 received at 778412-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: 778412-close@bugs.debian.org
Subject: Bug#778412: fixed in nvi 1.81.6-13
Date: Sat, 31 Dec 2016 04:33:29 +0000
Source: nvi
Source-Version: 1.81.6-13

We believe that the bug you reported is fixed in the latest version of
nvi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778412@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated nvi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 31 Dec 2016 04:10:57 +0000
Source: nvi
Binary: nvi nvi-doc
Architecture: source
Version: 1.81.6-13
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 nvi        - 4.4BSD re-implementation of vi
 nvi-doc    - 4.4BSD re-implementation of vi - documentation files
Closes: 778412 794030
Changes:
 nvi (1.81.6-13) unstable; urgency=medium
 .
   * QA upload.
   * Build with all hardening options.
   * CVE-2015-2305: Apply heap overflow patch from Dragonfly BSD (closes:
     #778412).
   * Fix cross-build failure: pass --build and --host to configure (thanks,
     Helmut Grohne; closes: #794030).
Checksums-Sha1:
 5d34e13fc05d0faa6da9b8556feeac60bdcac7b0 1873 nvi_1.81.6-13.dsc
 cb451c0a77405ddfa20b978a89d9ad96fd6afcf8 76868 nvi_1.81.6-13.debian.tar.xz
Checksums-Sha256:
 4e2689c394c86ec41274e178d238eafeadefe444cf1f7156c0b7303889cc560d 1873 nvi_1.81.6-13.dsc
 306c6059d386a161b9884535f0243134c8c9b5b15648e09e595fd1b349a7b9e1 76868 nvi_1.81.6-13.debian.tar.xz
Files:
 0f41f56e918e69b79cc0d7d5b9b1e2f6 1873 editors optional nvi_1.81.6-13.dsc
 9c37ab5b5bd5470faab6edf0fe104fed 76868 editors optional nvi_1.81.6-13.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlhnMSYACgkQOTWH2X2G
UAvyuhAAjZQy2UshRN8Zy3Fh8yjbPRZVOTstgyxcfiryocMf2V17XVdLwJmVMn3T
dWTR3Shu7j3jr8OjXz13t1RgUKkZMvd5tkF2CUzYRY4heMs/wUvNo+hEmmAMaEVc
mUzZm7LeHdOtnkAFdSt9eEESdHiubdHXotjIQUgJMvNRK7SLXhLdVEdQCbeQzAbO
r+S9GdVaPR5axhJ4SDidIIK7J63Vp6BeKbCY/IgOjf7nPJyiWwA9SaUewNJWLDU7
O155U6G2aGhQ0aeFvrBZfMzlS5NNGGPsC+XyLnTwHw/SW2eHS+ScpnekoQWtfhSj
tftZOYL6HhuNypIKoQSA4Tft0VLZUJ4Ql6XUO4MsrjRTIhCI84VnOLRPfSvaE6ER
l+HScTSi2X3CHdCwzyqA2R+8tj0WyNgC0Xi8uQm31L0noFcCQWDnw55Sch5eb2K8
BxPoGduKkp/0z6brrLC2kFDKAubnDRYsu1ISXnFY8T7ivZOgNlhLY8/s01puKVmZ
mcpscyzPodcJre3GeFMSqowPn+0q5MYjPiCB9ITZMxOVewhTpQz3n66PZRn/H/mX
Tijn5j3MKOCpbvNmB0hUjG4+ZD8Ltmq0adRT3byUIW5ON0qjkiLJURDUjPitSQSd
55OuaF3ROKLk3gR4MsYCWPsPypCqRta9tQUZ9EAzZl8gyQpZMt0=
=wi+N
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Feb 2017 07:26:35 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:45:47 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.