Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 454862 (CVE-2013-0242) - <sys-libs/glibc-2.19-r1: "extend_buffers()" Regular Expression Handling Denial of Service Vulnerability (CVE-2013-0242)
Summary: <sys-libs/glibc-2.19-r1: "extend_buffers()" Regular Expression Handling Denia...
Alias: CVE-2013-0242
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cleanup]
Depends on: 518364
  Show dependency tree
Reported: 2013-01-31 16:14 UTC by Agostino Sarubbo
Modified: 2015-03-08 14:53 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-31 16:14:29 UTC
From $URL :

A vulnerability has been reported in GNU C Library, which can be exploited by malicious people to 
cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "extend_buffers()" function 
(posix/regexec.c) when handling multibyte characters in regular expressions and can be exploited to 
cause a buffer overflow and crash the application.

The vulnerability is reported in version 2.17. Other versions may also be affected.

No official solution is currently available.

Provided and/or discovered by
Paolo Bonzini in a bug report.

Original Advisory
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:17:52 UTC
CVE-2013-0242 (
  Buffer overflow in the extend_buffers function in the regular expression
  matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows
  context-dependent attackers to cause a denial of service (memory corruption
  and crash) via crafted multibyte characters.
Comment 2 Hanno Böck gentoo-dev 2013-07-09 21:39:59 UTC
Fix is in 2.18:;a=blob_plain;f=NEWS;hb=HEAD
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-08 03:18:22 UTC
Can the fix be backported to stable glibc versions?
Comment 4 SpanKY gentoo-dev 2014-02-18 19:29:45 UTC
no plans to backport to glibc-2.17 or older
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 03:28:34 UTC
Maintainer(s), please drop the vulnerable version(s).

Added to an existing GLSA Request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:53:41 UTC
This issue was resolved and addressed in
 GLSA 201503-04 at
by GLSA coordinator Kristian Fiskerstrand (K_F).