Vulnerability Note VU#695940
Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Original Release date: 13 Feb 2015 | Last revised: 27 Feb 2015
A regular expressions C library originally written by Henry Spencer is vulnerable to a heap overflow in some circumstances.
CWE-122: Heap-based Buffer Overflow
From the researcher, the variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.
More details are given on the researcher’s blog.
The nature of the overflow suggests that only 32-bit operating systems are affected; it is highly unlikely that 64-bit operating systems would allow such an overflow.
The complete impact of this vulnerability is not yet known. Since the library is utilized in different ways, the impact is likely to vary depending on vendor. In worst case, a malicious actor may be able to execute arbitrary code.
Apply an update
Check with your vendor to see if an update is available to address this vulnerability. See the Vendor List below for more information.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedDebian GNU/LinuxAffected06 Feb 201509 Feb 2015
DragonFly BSD ProjectAffected06 Feb 201513 Feb 2015
FreeBSD ProjectAffected06 Feb 201509 Feb 2015
NetBSDAffected06 Feb 201509 Feb 2015
Wind River Systems, Inc.Affected06 Feb 201509 Feb 2015
Check Point Software TechnologiesNot Affected06 Feb 201524 Feb 2015
Fortinet, Inc.Not Affected06 Feb 201527 Feb 2015
Global Technology Associates, Inc.Not Affected06 Feb 201509 Feb 2015
Juniper Networks, Inc.Not Affected06 Feb 201509 Feb 2015
OpenBSDNot Affected06 Feb 201509 Feb 2015
ACCESSUnknown06 Feb 201506 Feb 2015
Alcatel-LucentUnknown06 Feb 201506 Feb 2015
AppleUnknown06 Feb 201506 Feb 2015
Arch LinuxUnknown06 Feb 201506 Feb 2015
AT&TUnknown06 Feb 201506 Feb 2015If you are a vendor and your product is affected, let
us know.View More »
CVSS Metrics (Learn More)
Full disclosure: heap overflow in H. Spencer’s regex library on 32 bit systems
This vulnerability was reported publicly by Guido Vranken.
This document was written by Garret Wassermann.
04 Feb 2015
Date First Published:
13 Feb 2015
Date Last Updated:
27 Feb 2015
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.