| Summary: | sys-libs/glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | normal | CC: | jasmin+gentoo, toolchain |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1683150 | ||
| Whiteboard: | A3 [upstream/ebuild cve] | ||
| Package list: | Runtime testing required: | --- | |
> Disclaimer:
> the comment from Florian Weimer says:
> the regular expression compiler in glibc is only supposed to be exposed to
> trusted content, so this is not a security vulnerability:
> “resource exhaustion issues which can be triggered only with crafted
> patterns (either during compilation or execution) are not treated as
> security bugs”
> <https://sourceware.org/glibc/wiki/Security%20Exceptions>
>
>
> So since there is already a CVE, and since glibc is an important package,
> let's track it for now..
What's the point of tracking it, if upstream says it's not a bug and noone will ever do anything about it?
As per Upstream and Red Hat . Statement: The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore this flaw is not classified as a security vulnerability. Closing bug no reason to track. |
From ${URL} : In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep. Reference: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 END Disclaimer: the comment from Florian Weimer says: the regular expression compiler in glibc is only supposed to be exposed to trusted content, so this is not a security vulnerability: “resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs” <https://sourceware.org/glibc/wiki/Security%20Exceptions> So since there is already a CVE, and since glibc is an important package, let's track it for now.. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.