Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 679044 (CVE-2019-9169)

Summary: <sys-libs/glibc-2.30-r6: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1684057
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 712726    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2019-02-28 13:17:20 UTC 
From ${URL} :

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an 
attempted case-insensitive regular-expression match.

Upstream patch:
https://github.com/clearlinux-pkgs/glibc/blob/master/CVE-2019-9169.patch
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9

References:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142
https://sourceware.org/bugzilla/show_bug.cgi?id=24114
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
https://www.securityfocus.com/bid/107160


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2020-03-23 21:29:35 UTC 
Fixed in 2.30
Comment 2 NATTkA bot gentoo-dev 2020-04-12 19:30:10 UTC 
Unable to check for sanity:

> dependent bug #712726 is missing keywords
Comment 3 NATTkA bot gentoo-dev 2020-04-13 14:41:12 UTC 
Resetting sanity check; package list is empty or all packages are done.
Comment 4 Larry the Git Cow gentoo-dev 2020-05-04 18:37:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cce133930b2d85cd8bed66715857ccf550048bbd

commit cce133930b2d85cd8bed66715857ccf550048bbd
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2020-05-04 18:35:42 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2020-05-04 18:37:12 +0000

    package.mask: Update old glibc mask, now masking <2.30-r8
    
    Bug: https://bugs.gentoo.org/712726
    Bug: https://bugs.gentoo.org/677272
    Bug: https://bugs.gentoo.org/679044
    Bug: https://bugs.gentoo.org/711558
    Bug: https://bugs.gentoo.org/717938
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-05-22 00:45:30 UTC 
Arches and Maintainer(s), Thank you for your work.

Added to GLSA
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-06-13 01:05:00 UTC 
This issue was resolved and addressed in
 GLSA 202006-04 at https://security.gentoo.org/glsa/202006-04
by GLSA coordinator Aaron Bauman (b-man).