Bug#778412: marked as done (nvi: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 31 Dec 2016 04:33:29 +0000
with message-id <E1cNBMH-000HDt-OK@fasolo.debian.org>
and subject line Bug#778412: fixed in nvi 1.81.6-13
has caused the Debian Bug report #778412,
regarding nvi: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
778412: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778412
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
• From: Luciano Bello <luciano@debian.org>
• Date: Sat, 14 Feb 2015 15:41:21 +0100
• Message-id: <1944331.akNzZpf9O7@box>

Package: nvi
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

--- End Message ---

--- Begin Message ---

• To: 778412-close@bugs.debian.org
• Subject: Bug#778412: fixed in nvi 1.81.6-13
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 31 Dec 2016 04:33:29 +0000
• Message-id: <E1cNBMH-000HDt-OK@fasolo.debian.org>

Source: nvi
Source-Version: 1.81.6-13

We believe that the bug you reported is fixed in the latest version of
nvi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778412@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated nvi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 31 Dec 2016 04:10:57 +0000
Source: nvi
Binary: nvi nvi-doc
Architecture: source
Version: 1.81.6-13
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 nvi        - 4.4BSD re-implementation of vi
 nvi-doc    - 4.4BSD re-implementation of vi - documentation files
Closes: 778412 794030
Changes:
 nvi (1.81.6-13) unstable; urgency=medium
 .
   * QA upload.
   * Build with all hardening options.
   * CVE-2015-2305: Apply heap overflow patch from Dragonfly BSD (closes:
     #778412).
   * Fix cross-build failure: pass --build and --host to configure (thanks,
     Helmut Grohne; closes: #794030).
Checksums-Sha1:
 5d34e13fc05d0faa6da9b8556feeac60bdcac7b0 1873 nvi_1.81.6-13.dsc
 cb451c0a77405ddfa20b978a89d9ad96fd6afcf8 76868 nvi_1.81.6-13.debian.tar.xz
Checksums-Sha256:
 4e2689c394c86ec41274e178d238eafeadefe444cf1f7156c0b7303889cc560d 1873 nvi_1.81.6-13.dsc
 306c6059d386a161b9884535f0243134c8c9b5b15648e09e595fd1b349a7b9e1 76868 nvi_1.81.6-13.debian.tar.xz
Files:
 0f41f56e918e69b79cc0d7d5b9b1e2f6 1873 editors optional nvi_1.81.6-13.dsc
 9c37ab5b5bd5470faab6edf0fe104fed 76868 editors optional nvi_1.81.6-13.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlhnMSYACgkQOTWH2X2G
UAvyuhAAjZQy2UshRN8Zy3Fh8yjbPRZVOTstgyxcfiryocMf2V17XVdLwJmVMn3T
dWTR3Shu7j3jr8OjXz13t1RgUKkZMvd5tkF2CUzYRY4heMs/wUvNo+hEmmAMaEVc
mUzZm7LeHdOtnkAFdSt9eEESdHiubdHXotjIQUgJMvNRK7SLXhLdVEdQCbeQzAbO
r+S9GdVaPR5axhJ4SDidIIK7J63Vp6BeKbCY/IgOjf7nPJyiWwA9SaUewNJWLDU7
O155U6G2aGhQ0aeFvrBZfMzlS5NNGGPsC+XyLnTwHw/SW2eHS+ScpnekoQWtfhSj
tftZOYL6HhuNypIKoQSA4Tft0VLZUJ4Ql6XUO4MsrjRTIhCI84VnOLRPfSvaE6ER
l+HScTSi2X3CHdCwzyqA2R+8tj0WyNgC0Xi8uQm31L0noFcCQWDnw55Sch5eb2K8
BxPoGduKkp/0z6brrLC2kFDKAubnDRYsu1ISXnFY8T7ivZOgNlhLY8/s01puKVmZ
mcpscyzPodcJre3GeFMSqowPn+0q5MYjPiCB9ITZMxOVewhTpQz3n66PZRn/H/mX
Tijn5j3MKOCpbvNmB0hUjG4+ZD8Ltmq0adRT3byUIW5ON0qjkiLJURDUjPitSQSd
55OuaF3ROKLk3gR4MsYCWPsPypCqRta9tQUZ9EAzZl8gyQpZMt0=
=wi+N
-----END PGP SIGNATURE-----

--- End Message ---