search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Vulnerability Note VU#695940

Original Release Date: 2015-02-13 | Last Revised: 2015-02-27

Overview

A regular expressions C library originally written by Henry Spencer is vulnerable to a heap overflow in some circumstances.

Description

CWE-122: Heap-based Buffer Overflow

From the researcher, the variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

More details are given on the researcher's blog.

The nature of the overflow suggests that only 32-bit operating systems are affected; it is highly unlikely that 64-bit operating systems would allow such an overflow.

Impact

The complete impact of this vulnerability is not yet known. Since the library is utilized in different ways, the impact is likely to vary depending on vendor. In worst case, a malicious actor may be able to execute arbitrary code.

Solution

Apply an update

Check with your vendor to see if an update is available to address this vulnerability. See the Vendor List below for more information.

Vendor Information

695940
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 07, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  February 06, 2015 Updated:  February 13, 2015

Statement Date:   February 07, 2015

Status

  Affected

Vendor Statement

"DragonFly is 64-bit only now so the current release is not
affected.  However, older versions of DragonFly (prior to us going 64-bit only)
are vulnerable.  Despite the vulnerability I'm not sure I would classify this
as a serious problem because it is highly unlikely that programs using the
library would allow a 700MB+ pattern string in the first place.  Patterns of
that size certainly can't be passed on the command line due to OS exec argument
buffer limitations.

That said, we will commit a length check to avoid any possible overflow.
"

Vendor Information

The vendor has patched the issue; the git log is available at the URL below:

Vendor References

FreeBSD Project

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 06, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 07, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 09, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies

Notified:  February 06, 2015 Updated:  February 24, 2015

Statement Date:   February 24, 2015

Status

  Not Affected

Vendor Statement

"Since all regcomp() calls are done with hard coded regular expressions – Check Point does not find our code exploitable by an attacker."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc.

Notified:  February 06, 2015 Updated:  February 27, 2015

Statement Date:   February 27, 2015

Status

  Not Affected

Vendor Statement

"Fortinet products are not affected by the Henry Spencer regular expressions (regex) library heap overflow vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates, Inc.

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 09, 2015

Status

  Not Affected

Vendor Statement

"No GTA firewalls running any version of GB-OS are vulnerable to the H. Spencer Regex vulnerability VU#695940."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 07, 2015

Status

  Not Affected

Vendor Statement

"As per our analysis of Junos OS, all our regcomp invocations happen
with regular expressions hard coded in the source. We do not see any
exploitable attack vector where an attacker can input or influence a
regular expression.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 06, 2015

Status

  Not Affected

Vendor Statement

"Since May 2014, we use the following int overflow avoiding construct:

regcomp.c:      p->strip = reallocarray(NULL, p->ssize, sizeof(sop));

Combined with the previous line, we believe this cannot attain int overflow.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  February 06, 2015 Updated:  February 06, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  February 06, 2015 Updated:  February 06, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  February 06, 2015 Updated:  February 06, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Arch Linux

          Notified:  February 06, 2015 Updated:  February 06, 2015

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Avaya, Inc.

            Notified:  February 06, 2015 Updated:  February 06, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Barracuda Networks

              Notified:  February 06, 2015 Updated:  February 06, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Belkin, Inc.

                Notified:  February 06, 2015 Updated:  February 06, 2015

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Blue Coat Systems

                  Notified:  February 06, 2015 Updated:  February 06, 2015

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    CA Technologies

                    Notified:  February 06, 2015 Updated:  February 06, 2015

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      CentOS

                      Notified:  February 06, 2015 Updated:  February 06, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Cisco Systems, Inc.

                        Notified:  February 06, 2015 Updated:  February 06, 2015

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          D-Link Systems, Inc.

                          Notified:  February 06, 2015 Updated:  February 06, 2015

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            DesktopBSD

                            Notified:  February 06, 2015 Updated:  February 06, 2015

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Enterasys Networks

                              Notified:  February 06, 2015 Updated:  February 06, 2015

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Ericsson

                                Notified:  February 06, 2015 Updated:  February 06, 2015

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Extreme Networks

                                  Notified:  February 06, 2015 Updated:  February 06, 2015

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    F5 Networks, Inc.

                                    Notified:  February 06, 2015 Updated:  February 06, 2015

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Fedora Project

                                      Notified:  February 06, 2015 Updated:  February 06, 2015

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Force10 Networks, Inc.

                                        Notified:  February 06, 2015 Updated:  February 06, 2015

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Foundry Networks, Inc.

                                          Notified:  February 06, 2015 Updated:  February 06, 2015

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Gentoo Linux

                                            Notified:  February 06, 2015 Updated:  February 06, 2015

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Google

                                              Notified:  February 06, 2015 Updated:  February 06, 2015

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Hewlett-Packard Company

                                                Notified:  February 06, 2015 Updated:  February 06, 2015

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Hitachi

                                                  Notified:  February 06, 2015 Updated:  February 06, 2015

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Huawei Technologies

                                                    Notified:  February 06, 2015 Updated:  February 06, 2015

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      IBM Corporation

                                                      Notified:  February 06, 2015 Updated:  February 06, 2015

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        IBM eServer

                                                        Notified:  February 06, 2015 Updated:  February 06, 2015

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Infoblox

                                                          Notified:  February 06, 2015 Updated:  February 06, 2015

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Intel Corporation

                                                            Notified:  February 06, 2015 Updated:  February 06, 2015

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Intoto

                                                              Notified:  February 06, 2015 Updated:  February 06, 2015

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Mandriva S. A.

                                                                Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  McAfee

                                                                  Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Microsoft Corporation

                                                                    Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      MySQL

                                                                      Notified:  February 06, 2015 Updated:  February 09, 2015

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor Information

                                                                      We are not aware of further vendor information regarding this vulnerability.

                                                                      Nokia

                                                                      Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Novell, Inc.

                                                                        Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          OmniTI

                                                                          Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Openwall GNU/*/Linux

                                                                            Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              PC-BSD

                                                                              Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                Palo Alto Networks

                                                                                Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Peplink

                                                                                  Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Process Software

                                                                                    Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      Q1 Labs

                                                                                      Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        QNX Software Systems Inc.

                                                                                        Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Quagga

                                                                                          Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Red Hat, Inc.

                                                                                            Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              SUSE Linux

                                                                                              Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                SafeNet

                                                                                                Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  Slackware Linux Inc.

                                                                                                  Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    SmoothWall

                                                                                                    Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      Snort

                                                                                                      Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        Sourcefire

                                                                                                        Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Stonesoft

                                                                                                          Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            Symantec

                                                                                                            Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              The PHP Group

                                                                                                              Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                TippingPoint Technologies Inc.

                                                                                                                Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  Turbolinux

                                                                                                                  Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    Ubuntu

                                                                                                                    Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      VMware

                                                                                                                      Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        Vyatta

                                                                                                                        Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          Watchguard Technologies, Inc.

                                                                                                                          Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            ZyXEL

                                                                                                                            Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              eSoft, Inc.

                                                                                                                              Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                m0n0wall

                                                                                                                                Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  netfilter

                                                                                                                                  Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    openSUSE project

                                                                                                                                    Notified:  February 06, 2015 Updated:  February 06, 2015

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      View all 77 vendors View less vendors


                                                                                                                                      CVSS Metrics

                                                                                                                                      Group Score Vector
                                                                                                                                      Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
                                                                                                                                      Temporal 3.9 E:POC/RL:U/RC:C
                                                                                                                                      Environmental 2.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                                                                                                                      References

                                                                                                                                      Acknowledgements

                                                                                                                                      This vulnerability was reported publicly by Guido Vranken.

                                                                                                                                      This document was written by Garret Wassermann.

                                                                                                                                      Other Information

                                                                                                                                      CVE IDs: None
                                                                                                                                      Date Public: 2015-02-04
                                                                                                                                      Date First Published: 2015-02-13
                                                                                                                                      Date Last Updated: 2015-02-27 13:52 UTC
                                                                                                                                      Document Revision: 28

                                                                                                                                      Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.