Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-2305

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2015-2305
Last Modified 09 Oct 2015 10:00:37
Published 30 Mar 2015 06:59:11
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2015-2305

Summary

Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.

Vulnerable Systems

Operating System

  • Debian Linux 7.0

  • Novell Opensuse 13.1

  • Novell Opensuse 13.2

Application

  • Rxspencer Project Rxspencer 3.8.g5


References

CERT-VN - VU#695940

MISC - https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

MLIST - [oss-security] 20150311 Re: CVE request: spencer regexp

MLIST - [oss-security] 20150207 Spencer regexp heap overflow?

DEBIAN - DSA-3195

SUSE - openSUSE-SU-2015:0644

SECTRACK - 1031947

CONFIRM - http://php.net/ChangeLog-5.php

UBUNTU - USN-2594-1

CONFIRM - http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html

SUSE - SUSE-SU-2015:0946

CONFIRM - https://support.apple.com/HT205267

APPLE - APPLE-SA-2015-09-30-3


Last Updated: 27 May 2016 10:55:49