CVE-2015-2305 — Integer Overflow or Wraparound in Haskell-regex-posix

CWE-190 — Integer Overflow or Wraparound10 documents8 sources

Severity

6.8MEDIUMNVD

EPSS

28.7%

top 3.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Clamav Newlib Project Newlib PHP +18 more

Timeline

PublishedMar 30

Latest updateMay 14

Description

Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages19 packages

▶NVDrxspencer_project/rxspencer3.8.g5

▶debiandebian/haskell-regex-posix< clamav 0.98.7+dfsg-1 (bookworm)

▶NVDphp/php5.4.0 — 5.4.39+2

▶debiandebian/efl< clamav 0.98.7+dfsg-1 (bookworm)

▶debiandebian/nvi< clamav 0.98.7+dfsg-1 (bookworm)

Also affects: Debian Linux 7.0, 8.0, Ubuntu Linux 10.04, 12.04, 14.04, 14.10, 15.04

🔴Vulnerability Details

GHSA

GHSA-qcm7-3c5w-vhg7: Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3↗2022-05-14

▶

OSV

php5 vulnerabilities↗2015-04-20

▶

OSV

CVE-2015-2305: Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3↗2015-03-30

▶

📋Vendor Advisories

Ubuntu

ClamAV vulnerabilities↗2015-05-05

▶

Ubuntu

PHP vulnerabilities↗2015-04-20

▶

Red Hat

regex: heap overflow in regcomp() on 32-bit architectures↗2015-02-04

▶

Debian

CVE-2015-2305: alpine - Integer overflow in the regcomp implementation in the Henry Spencer BSD regex li...↗2015

▶

Apple

CVE-2015-2305: OS X El Capitan v10.11↗

▶

💬Community

Bugzilla

CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures↗2015-02-10

▶