Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678902 (CVE-2018-20796) - sys-libs/glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c
Summary: sys-libs/glibc: uncontrolled recursion in function check_dst_limits_calc_pos_...
Status: IN_PROGRESS
Alias: CVE-2018-20796
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-27 08:29 UTC by Agostino Sarubbo
Modified: 2019-06-24 22:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-02-27 08:29:55 UTC
From ${URL} :
In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as 
demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.

Reference:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141

END

Disclaimer:
the comment from Florian Weimer says:
the regular expression compiler in glibc is only supposed to be exposed to trusted content, so this is not a security vulnerability:
“resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as 
security bugs”
<https://sourceware.org/glibc/wiki/Security%20Exceptions>


So since there is already a CVE, and since glibc is an important package, let's track it for now..



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.