Control: found -1 1.18.0-6.2 Hi luciano!
On 02/14/2015 11:34 AM, Luciano Bello wrote: > Package: newlib > Severity: important > Tags: security patch > > The security team received a report from the CERT Coordination Center that > the > Henry Spencer regular expressions (regex) library contains a heap overflow > vulnerability. It looks like this package includes the affected code at > that's > the reason of this bug report. > > The patch is available here: > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c > > Please, can you confirm if the binary packages are affected? Are stable and > testing affected? I confirm that stable is the only affected. That's because when I adopted this package I removed libnewlib0 (binary built for i386 architecture) and newlib only has regex implementation for posix. Right now on testing and unstable the binaries built are only for arm architectures so we are ok here. Also I have checked reverse dependencies and there is no any I remember now that removing these binaries was too easy. I c&p dak's output below. About the patch, I tried apply it on the version affected and it applied smoothly and also built ok. I just modified (attached) the path to regcomp.c, seems the exactly same implementation. This is my first security bug so be patient with me :). How do we follow from here? dak's output ============================================================ $ ssh mirror.ftp-master.debian.org "dak rm -s stable -Rnb libnewlib0" Will remove the following packages from stable: libnewlib0 | 1.18.0-6.2 | i386 Maintainer: Arthur Loiret <aloi...@debian.org> ------------------- Reason ------------------- ---------------------------------------------- Checking reverse dependencies... # Broken Depends: newlib: libnewlib-dev [i386] Dependency problem found. $ ssh mirror.ftp-master.debian.org "dak rm -s stable -Rnb libnewlib-dev" Will remove the following packages from stable: libnewlib-dev | 1.18.0-6.2 | i386, powerpc Maintainer: Arthur Loiret <aloi...@debian.org> ------------------- Reason ------------------- ---------------------------------------------- Checking reverse dependencies... No dependency problem found. ============================================================ Cheers, -- TiN
X-Git-Url: http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff_plain/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c diff --git a/newlib/libc/posix/regcomp.c b/newlib/libc/posix/regcomp.c index c71f6c6..18bc71b 100644 --- a/newlib/libc/posix/regcomp.c +++ b/newlib/libc/posix/regcomp.c @@ -189,6 +189,7 @@ regcomp(regex_t * __restrict preg, struct parse *p = &pa; int i; size_t len; + size_t maxlen; #ifdef REDEBUG # define GOODFLAGS(f) (f) #else @@ -210,7 +211,23 @@ regcomp(regex_t * __restrict preg, g = (struct re_guts *)malloc(sizeof(struct re_guts)); if (g == NULL) return(REG_ESPACE); + /* + * Limit the pattern space to avoid a 32-bit overflow on buffer + * extension. Also avoid any signed overflow in case of conversion + * so make the real limit based on a 31-bit overflow. + * + * Likely not applicable on 64-bit systems but handle the case + * generically (who are we to stop people from using ~715MB+ + * patterns?). + */ + maxlen = ((size_t)-1 >> 1) / sizeof(sop) * 2 / 3; + if (len >= maxlen) { + free((char *)g); + return(REG_ESPACE); + } p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */ + assert(p->ssize >= len); + p->strip = (sop *)malloc(p->ssize * sizeof(sop)); p->slen = 0; if (p->strip == NULL) {
