Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 609386 (CVE-2015-8985)

Summary: <sys-libs/glibc-2.28 : Assertion failure in pop_fail_stack when executing a malformed regexp
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=21163
See Also: https://bugs.debian.org/779392
https://sourceware.org/bugzilla/show_bug.cgi?id=21163
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-15 08:00:42 UTC
From $URL:

Debian bug report:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392

Reproducer from the Debian bug:

#include <assert.h>
#include <regex.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    int rc;
    regex_t preg;
    regmatch_t pmatch[2];

    rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
    assert(rc == 0);
    regexec(&preg, "", 2, pmatch, 0);
    regfree(&preg);
    return 0;
}

This was assigned CVE-2015-8985 even though it is debatable whether this is a security bug.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2019-05-01 18:48:38 UTC
All affected packages are masked. No cleanup (toolchain package).
Security please proceed.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:39:56 UTC
This issue was resolved and addressed in
 GLSA 201908-06 at https://security.gentoo.org/glsa/201908-06
by GLSA coordinator Aaron Bauman (b-man).