| Summary: | sys-libs/uclibc: Multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | blueness, embedded, vapier |
| Priority: | Normal | Keywords: | PMASKED |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1463736 | ||
| Whiteboard: | B3 [upstream cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 570544 | ||
There can be no bump. sys-libs/uclibc is dead. we should deprecate it in favor of uclibc-ng. if its okay with security, we can convert this bug to a tree-cleaning bug for uclibc. Sounds good, I created a PR to trigger CI for testing: https://github.com/gentoo/gentoo/pull/5004 sys-libs/uclibc has been removed from the tree, |
From ${URL} : Multiple vulnerabilities were reported in uClibc. CVE-2017-9728: In uClibc 0.9.33.2, there is an out-of-bounds read in the get_subexp function in misc/regex/regexec.c when processing a crafted regular expression. CVE-2017-9729: In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) in the check_dst_limits_calc_pos_1 function in misc/regex/regexec.c when processing a crafted regular expression. References: http://seclists.org/oss-sec/2017/q2/486 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.