Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679044 (CVE-2019-9169) - sys-libs/glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read
Summary: sys-libs/glibc: regular-expression match via proceed_next_node in posix/regex...
Status: IN_PROGRESS
Alias: CVE-2019-9169
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-28 13:17 UTC by Agostino Sarubbo
Modified: 2019-03-27 03:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-02-28 13:17:20 UTC
From ${URL} :

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an 
attempted case-insensitive regular-expression match.

Upstream patch:
https://github.com/clearlinux-pkgs/glibc/blob/master/CVE-2019-9169.patch
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9

References:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142
https://sourceware.org/bugzilla/show_bug.cgi?id=24114
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
https://www.securityfocus.com/bid/107160


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.