Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 609386 (CVE-2015-8985) - <sys-libs/glibc-2.28 : Assertion failure in pop_fail_stack when executing a malformed regexp
Summary: <sys-libs/glibc-2.28 : Assertion failure in pop_fail_stack when executing a m...
Status: RESOLVED FIXED
Alias: CVE-2015-8985
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-15 08:00 UTC by Thomas Deutschmann (RETIRED)
Modified: 2019-08-15 15:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-15 08:00:42 UTC 
From $URL:

Debian bug report:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392

Reproducer from the Debian bug:

#include <assert.h>
#include <regex.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    int rc;
    regex_t preg;
    regmatch_t pmatch[2];

    rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
    assert(rc == 0);
    regexec(&preg, "", 2, pmatch, 0);
    regfree(&preg);
    return 0;
}

This was assigned CVE-2015-8985 even though it is debatable whether this is a security bug.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2019-05-01 18:48:38 UTC 
All affected packages are masked. No cleanup (toolchain package).
Security please proceed.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:39:56 UTC 
This issue was resolved and addressed in
 GLSA 201908-06 at https://security.gentoo.org/glsa/201908-06
by GLSA coordinator Aaron Bauman (b-man).