From ${URL} : Maksymilian Arciemowicz reported a resource consumption issue in the libcxx C++ regex library. If an attacker were able to make an application using this library process a specially-crafted regular expression, it could cause the application to consume excessive system resources. Original report: http://seclists.org/fulldisclosure/2014/Aug/1 Upstream bug: http://llvm.org/bugs/show_bug.cgi?id=20291 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@maintainer(s) is this bug stable? Can we send to glsa? Mike Boyle Gentoo Security Padawan
AFAICS upstream did not find any solution here.
Apparently fixed by r313056. FWICS, this is in release_60 branch but I don't see any reference of it in release_50.
@maintainer ping. Is ok to move forward with stabilizing it?
Please clean vulnerable versions.
@prefix, do you need any of the old versions here?
I think they are tied to the llvm versions, but it is probably time to drop support for old targets. So, let's drop the old versions.
Ok, thanks.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4457b2c99d536fc44e945e43f8fd7fbe09a0df60 commit 4457b2c99d536fc44e945e43f8fd7fbe09a0df60 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-10 18:22:23 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-10 19:52:56 +0000 sys-libs/libcxx: Drop <6 Bug: https://bugs.gentoo.org/519112 Signed-off-by: Michał Górny <mgorny@gentoo.org> sys-libs/libcxx/Manifest | 4 - sys-libs/libcxx/files/Makefile | 38 ---- .../libcxx/files/libcxx-3.9-cmake-static-lib.patch | 196 ------------------ sys-libs/libcxx/files/prepare_snapshot.sh | 16 -- sys-libs/libcxx/libcxx-3.7.1.ebuild | 169 ---------------- sys-libs/libcxx/libcxx-3.9.1.ebuild | 222 --------------------- sys-libs/libcxx/libcxx-4.0.1.ebuild | 213 -------------------- sys-libs/libcxx/libcxx-5.0.2.ebuild | 209 ------------------- 8 files changed, 1067 deletions(-)
(In reply to Larry the Git Cow from comment #9) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=4457b2c99d536fc44e945e43f8fd7fbe09a0df60 > > commit 4457b2c99d536fc44e945e43f8fd7fbe09a0df60 > Author: Michał Górny <mgorny@gentoo.org> > AuthorDate: 2019-03-10 18:22:23 +0000 > Commit: Michał Górny <mgorny@gentoo.org> > CommitDate: 2019-03-10 19:52:56 +0000 > > sys-libs/libcxx: Drop <6 > > Bug: https://bugs.gentoo.org/519112 > Signed-off-by: Michał Górny <mgorny@gentoo.org> > > sys-libs/libcxx/Manifest | 4 - > sys-libs/libcxx/files/Makefile | 38 ---- > .../libcxx/files/libcxx-3.9-cmake-static-lib.patch | 196 ------------------ > sys-libs/libcxx/files/prepare_snapshot.sh | 16 -- > sys-libs/libcxx/libcxx-3.7.1.ebuild | 169 ---------------- > sys-libs/libcxx/libcxx-3.9.1.ebuild | 222 > --------------------- > sys-libs/libcxx/libcxx-4.0.1.ebuild | 213 > -------------------- > sys-libs/libcxx/libcxx-5.0.2.ebuild | 209 ------------------- > 8 files changed, 1067 deletions(-) Thanks, Michał!