Summary: | sys-libs/glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | jasmin+gentoo, toolchain |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1683150 | ||
Whiteboard: | A3 [upstream/ebuild cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2019-02-27 08:29:55 UTC
> Disclaimer:
> the comment from Florian Weimer says:
> the regular expression compiler in glibc is only supposed to be exposed to
> trusted content, so this is not a security vulnerability:
> “resource exhaustion issues which can be triggered only with crafted
> patterns (either during compilation or execution) are not treated as
> security bugs”
> <https://sourceware.org/glibc/wiki/Security%20Exceptions>
>
>
> So since there is already a CVE, and since glibc is an important package,
> let's track it for now..
What's the point of tracking it, if upstream says it's not a bug and noone will ever do anything about it?
As per Upstream and Red Hat . Statement: The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore this flaw is not classified as a security vulnerability. Closing bug no reason to track. |