Overview
A regular expressions C library originally written by Henry Spencer is vulnerable to a heap overflow in some circumstances.
Description
CWE-122: Heap-based Buffer Overflow From the researcher, the variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory. |
Impact
The complete impact of this vulnerability is not yet known. Since the library is utilized in different ways, the impact is likely to vary depending on vendor. In worst case, a malicious actor may be able to execute arbitrary code. |
Solution
Apply an update |
Vendor Information
Debian GNU/Linux Affected
Notified: February 06, 2015 Updated: February 09, 2015
Statement Date: February 07, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
DragonFly BSD Project Affected
Notified: February 06, 2015 Updated: February 13, 2015
Statement Date: February 07, 2015
Status
Affected
Vendor Statement
"DragonFly is 64-bit only now so the current release is not
affected. However, older versions of DragonFly (prior to us going 64-bit only)
are vulnerable. Despite the vulnerability I'm not sure I would classify this
as a serious problem because it is highly unlikely that programs using the
library would allow a 700MB+ pattern string in the first place. Patterns of
that size certainly can't be passed on the command line due to OS exec argument
buffer limitations.
That said, we will commit a length check to avoid any possible overflow."
Vendor Information
The vendor has patched the issue; the git log is available at the URL below:
Vendor References
FreeBSD Project Affected
Notified: February 06, 2015 Updated: February 09, 2015
Statement Date: February 06, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetBSD Affected
Notified: February 06, 2015 Updated: February 09, 2015
Statement Date: February 07, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Wind River Systems, Inc. Affected
Notified: February 06, 2015 Updated: February 09, 2015
Statement Date: February 09, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Check Point Software Technologies Not Affected
Notified: February 06, 2015 Updated: February 24, 2015
Statement Date: February 24, 2015
Status
Not Affected
Vendor Statement
"Since all regcomp() calls are done with hard coded regular expressions – Check Point does not find our code exploitable by an attacker."
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fortinet, Inc. Not Affected
Notified: February 06, 2015 Updated: February 27, 2015
Statement Date: February 27, 2015
Status
Not Affected
Vendor Statement
"Fortinet products are not affected by the Henry Spencer regular expressions (regex) library heap overflow vulnerability."
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Global Technology Associates, Inc. Not Affected
Notified: February 06, 2015 Updated: February 09, 2015
Statement Date: February 09, 2015
Status
Not Affected
Vendor Statement
"No GTA firewalls running any version of GB-OS are vulnerable to the H. Spencer Regex vulnerability VU#695940."
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Juniper Networks, Inc. Not Affected
Notified: February 06, 2015 Updated: February 09, 2015
Statement Date: February 07, 2015
Status
Not Affected
Vendor Statement
"As per our analysis of Junos OS, all our regcomp invocations happen
with regular expressions hard coded in the source. We do not see any
exploitable attack vector where an attacker can input or influence a
regular expression."
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
OpenBSD Not Affected
Notified: February 06, 2015 Updated: February 09, 2015
Statement Date: February 06, 2015
Status
Not Affected
Vendor Statement
"Since May 2014, we use the following int overflow avoiding construct:
regcomp.c: p->strip = reallocarray(NULL, p->ssize, sizeof(sop));
Combined with the previous line, we believe this cannot attain int overflow."
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ACCESS Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Apple Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arch Linux Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Avaya, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Barracuda Networks Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Blue Coat Systems Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CentOS Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cisco Systems, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
D-Link Systems, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Extreme Networks Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fedora Project Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Foundry Networks, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Gentoo Linux Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Google Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett-Packard Company Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Huawei Technologies Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM eServer Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Infoblox Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intel Corporation Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intoto Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Mandriva S. A. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
McAfee Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Microsoft Corporation Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
MySQL Unknown
Notified: February 06, 2015 Updated: February 09, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nokia Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Novell, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OmniTI Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PC-BSD Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Palo Alto Networks Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Process Software Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Quagga Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Red Hat, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SUSE Linux Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Stonesoft Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
The PHP Group Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ubuntu Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
VMware Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Vyatta Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Watchguard Technologies, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
ZyXEL Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
eSoft, Inc. Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
netfilter Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: February 06, 2015 Updated: February 06, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Temporal | 3.9 | E:POC/RL:U/RC:C |
| Environmental | 2.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
This vulnerability was reported publicly by Guido Vranken.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | None |
| Date Public: | 2015-02-04 |
| Date First Published: | 2015-02-13 |
| Date Last Updated: | 2015-02-27 13:52 UTC |
| Document Revision: | 29 |