search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability

Vulnerability Note VU#695940

Original Release Date: 2015-02-13 | Last Revised: 2015-02-27

Overview

A regular expressions C library originally written by Henry Spencer is vulnerable to a heap overflow in some circumstances.

Description

CWE-122: Heap-based Buffer Overflow

From the researcher, the variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

More details are given on the researcher's blog.

The nature of the overflow suggests that only 32-bit operating systems are affected; it is highly unlikely that 64-bit operating systems would allow such an overflow.

Impact

The complete impact of this vulnerability is not yet known. Since the library is utilized in different ways, the impact is likely to vary depending on vendor. In worst case, a malicious actor may be able to execute arbitrary code.

Solution

Apply an update

Check with your vendor to see if an update is available to address this vulnerability. See the Vendor List below for more information.

Vendor Information

695940
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 07, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  February 06, 2015 Updated:  February 13, 2015

Statement Date:   February 07, 2015

Status

  Affected

Vendor Statement

"DragonFly is 64-bit only now so the current release is not
affected.  However, older versions of DragonFly (prior to us going 64-bit only)
are vulnerable.  Despite the vulnerability I'm not sure I would classify this
as a serious problem because it is highly unlikely that programs using the
library would allow a 700MB+ pattern string in the first place.  Patterns of
that size certainly can't be passed on the command line due to OS exec argument
buffer limitations.

That said, we will commit a length check to avoid any possible overflow.
"

Vendor Information

The vendor has patched the issue; the git log is available at the URL below:

Vendor References

http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

FreeBSD Project

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 06, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 07, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 09, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies

Notified:  February 06, 2015 Updated:  February 24, 2015

Statement Date:   February 24, 2015

Status

  Not Affected

Vendor Statement

"Since all regcomp() calls are done with hard coded regular expressions – Check Point does not find our code exploitable by an attacker."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc.

Notified:  February 06, 2015 Updated:  February 27, 2015

Statement Date:   February 27, 2015

Status

  Not Affected

Vendor Statement

"Fortinet products are not affected by the Henry Spencer regular expressions (regex) library heap overflow vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates, Inc.

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 09, 2015

Status

  Not Affected

Vendor Statement

"No GTA firewalls running any version of GB-OS are vulnerable to the H. Spencer Regex vulnerability VU#695940."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 07, 2015

Status

  Not Affected

Vendor Statement

"As per our analysis of Junos OS, all our regcomp invocations happen
with regular expressions hard coded in the source. We do not see any
exploitable attack vector where an attacker can input or influence a
regular expression.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  February 06, 2015 Updated:  February 09, 2015

Statement Date:   February 06, 2015

Status

  Not Affected

Vendor Statement

"Since May 2014, we use the following int overflow avoiding construct:

regcomp.c:      p->strip = reallocarray(NULL, p->ssize, sizeof(sop));

Combined with the previous line, we believe this cannot attain int overflow.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AT&T

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alcatel-Lucent

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apple

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arch Linux

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Barracuda Networks

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Belkin, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Blue Coat Systems

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CA Technologies

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CentOS

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cisco Systems, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

D-Link Systems, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Enterasys Networks

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ericsson

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Extreme Networks

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fedora Project

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Force10 Networks, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Foundry Networks, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Gentoo Linux

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett-Packard Company

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hitachi

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Corporation

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM eServer

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Infoblox

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intel Corporation

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intoto

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Mandriva S. A.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

McAfee

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsoft Corporation

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

MySQL

Notified:  February 06, 2015 Updated:  February 09, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Novell, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PC-BSD

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Palo Alto Networks

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Peplink

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Process Software

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Q1 Labs

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Quagga

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Red Hat, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SafeNet

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SmoothWall

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Snort

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sourcefire

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Stonesoft

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

The PHP Group

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TippingPoint Technologies Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ubuntu

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vyatta

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Watchguard Technologies, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ZyXEL

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

eSoft, Inc.

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

m0n0wall

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

netfilter

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

openSUSE project

Notified:  February 06, 2015 Updated:  February 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.9 E:POC/RL:U/RC:C
Environmental 2.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was reported publicly by Guido Vranken.

This document was written by Garret Wassermann.

Other Information

CVE IDs: None
Date Public: 2015-02-04
Date First Published: 2015-02-13
Date Last Updated: 2015-02-27 13:52 UTC
Document Revision: 28

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.