Vulnerability Details
Basic Information
| Title | MGASA-2025-0138 Updated haproxy packages fix security vulnerability |
|---|---|
| Type | osv |
| Published | 2025-04-25T17:34:34 |
| Last Seen | 2025-04-25T19:36:12 |
| CVSS Score | 6.8 (MEDIUM) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
CVE Information
| CVE IDs | CVE-2025-32464 |
|---|---|
| CWE | |
| Bulletin Family | software |
Description
BUG/MEDIUM: sample: fix risk of overflow when replacing multiple regex
back-refsAleandro Prudenzano of Doyensec and Edoardo Geraci of Codean
Labs reported a bug in sample_conv_regsub(), which can cause
replacements of multiple back-references to overflow the temporary trash
buffer. The problem happens when doing “regsub(match,replacement,g)”:
we’re replacing every occurrence of “match” with “replacement” in the
input sample, which requires a length check. For this, a max is applied,
so that a replacement may not use more than the remaining length in the
buffer. However, the length check is made on the replaced pattern and
not on the temporary buffer used to carry the new string. This results
in the remaining size to be usable for each input match, which can go
beyond the temporary buffer size if more than one occurrence has to be
replaced with something that’s larger than the remaining room.
back-refsAleandro Prudenzano of Doyensec and Edoardo Geraci of Codean
Labs reported a bug in sample_conv_regsub(), which can cause
replacements of multiple back-references to overflow the temporary trash
buffer. The problem happens when doing “regsub(match,replacement,g)”:
we’re replacing every occurrence of “match” with “replacement” in the
input sample, which requires a length check. For this, a max is applied,
so that a replacement may not use more than the remaining length in the
buffer. However, the length check is made on the replaced pattern and
not on the temporary buffer used to carry the new string. This results
in the remaining size to be usable for each input match, which can go
beyond the temporary buffer size if more than one occurrence has to be
replaced with something that’s larger than the remaining room.
Impact Assessment
| Base Score | 6.8 |
|---|---|
| Severity | MEDIUM |