Bug#778396: marked as done (Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 14 Feb 2015 23:20:26 +0100
with message-id <20150214222026.GA20396@pisco.westfalen.local>
and subject line Re: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
has caused the Debian Bug report #778396,
regarding Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
778396: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778396
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
• From: Luciano Bello <luciano@debian.org>
• Date: Sat, 14 Feb 2015 15:28:56 +0100
• Message-id: <[🔎] 4507822.v9n4YJ81Xb@box>

Package: cups
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

--- End Message ---

--- Begin Message ---

• To: 778396-done@bugs.debian.org
• Subject: Re: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Sat, 14 Feb 2015 23:20:26 +0100
• Message-id: <20150214222026.GA20396@pisco.westfalen.local>
• In-reply-to: <[🔎] 4507822.v9n4YJ81Xb@box>
• References: <[🔎] 4507822.v9n4YJ81Xb@box>

On Sat, Feb 14, 2015 at 03:28:56PM +0100, Luciano Bello wrote:
> Package: cups
> Severity: important
> Tags: security patch
> 
> The security team received a report from the CERT Coordination Center that the 
> Henry Spencer regular expressions (regex) library contains a heap overflow 
> vulnerability. It looks like this package includes the affected code at that's 
> the reason of this bug report.

The regex copy is only used when building on Windows. I double-checked by
removing the entire vcnet/regex directory and rebuilding cups.

Cheers,
       Moritz

--- End Message ---