Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 678902 (CVE-2018-20796)

Summary: sys-libs/glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: jbuchert+genbug, toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1683150
Whiteboard: A3 [upstream/ebuild cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2019-02-27 08:29:55 UTC
From ${URL} :
In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as 
demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.

Reference:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141

END

Disclaimer:
the comment from Florian Weimer says:
the regular expression compiler in glibc is only supposed to be exposed to trusted content, so this is not a security vulnerability:
“resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as 
security bugs”
<https://sourceware.org/glibc/wiki/Security%20Exceptions>


So since there is already a CVE, and since glibc is an important package, let's track it for now..



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.