Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 454862 (CVE-2013-0242) - <sys-libs/glibc-2.19-r1: "extend_buffers()" Regular Expression Handling Denial of Service Vulnerability (CVE-2013-0242)
Summary: <sys-libs/glibc-2.19-r1: "extend_buffers()" Regular Expression Handling Denia...
Status: RESOLVED FIXED
Alias: CVE-2013-0242
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/51951/
Whiteboard: A3 [glsa cleanup]
Keywords:
Depends on: 518364
Blocks:
  Show dependency tree
 
Reported: 2013-01-31 16:14 UTC by Agostino Sarubbo
Modified: 2015-03-08 14:53 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-31 16:14:29 UTC
From $URL :

Description
A vulnerability has been reported in GNU C Library, which can be exploited by malicious people to 
cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "extend_buffers()" function 
(posix/regexec.c) when handling multibyte characters in regular expressions and can be exploited to 
cause a buffer overflow and crash the application.

The vulnerability is reported in version 2.17. Other versions may also be affected.


Solution
No official solution is currently available.

Provided and/or discovered by
Paolo Bonzini in a bug report.

Original Advisory
http://sourceware.org/bugzilla/show_bug.cgi?id=15078
http://www.openwall.com/lists/oss-security/2013/01/30/1
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:17:52 UTC
CVE-2013-0242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0242):
  Buffer overflow in the extend_buffers function in the regular expression
  matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows
  context-dependent attackers to cause a denial of service (memory corruption
  and crash) via crafted multibyte characters.
Comment 2 Hanno Böck gentoo-dev 2013-07-09 21:39:59 UTC
Fix is in 2.18:
http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=HEAD
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-08 03:18:22 UTC
Can the fix be backported to stable glibc versions?
Comment 4 SpanKY gentoo-dev 2014-02-18 19:29:45 UTC
no plans to backport to glibc-2.17 or older
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-03 03:28:34 UTC
Maintainer(s), please drop the vulnerable version(s).

Added to an existing GLSA Request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:53:41 UTC
This issue was resolved and addressed in
 GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).