{"vuid":"VU#695940","idnumber":"695940","name":"Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability","keywords":["regex","heap overflow","CWE-122"],"overview":"A regular expressions C library originally written by Henry Spencer is vulnerable to a heap overflow in some circumstances.","clean_desc":"CWE-122: Heap-based Buffer Overflow From the researcher, the variable len that holds the length of a regular expression string is \"enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow.\" It may be possible for an attacker to use this overflow to change data in memory. More details are given on the researcher's blog. The nature of the overflow suggests that only 32-bit operating systems are affected; it is highly unlikely that 64-bit operating systems would allow such an overflow.","impact":"The complete impact of this vulnerability is not yet known. Since the library is utilized in different ways, the impact is likely to vary depending on vendor. In worst case, a malicious actor may be able to execute arbitrary code.","resolution":"Apply an update Check with your vendor to see if an update is available to address this vulnerability. See the Vendor List below for more information.","workarounds":"","sysaffected":"","thanks":"This vulnerability was reported publicly by Guido Vranken.","author":"This document was written by Garret Wassermann.","public":["https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/","http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2015-02-04T12:49:10Z","publicdate":"2015-02-04T00:00:00Z","datefirstpublished":"2015-02-13T18:26:54Z","dateupdated":"2015-02-27T13:52:13Z","revision":29,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"P","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.3","cvss_basevector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","cvss_temporalscore":"3.9","cvss_environmentalscore":"2.899886346","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}