From ${URL} : Multiple vulnerabilities were reported in uClibc. CVE-2017-9728: In uClibc 0.9.33.2, there is an out-of-bounds read in the get_subexp function in misc/regex/regexec.c when processing a crafted regular expression. CVE-2017-9729: In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) in the check_dst_limits_calc_pos_1 function in misc/regex/regexec.c when processing a crafted regular expression. References: http://seclists.org/oss-sec/2017/q2/486 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
There can be no bump. sys-libs/uclibc is dead. we should deprecate it in favor of uclibc-ng. if its okay with security, we can convert this bug to a tree-cleaning bug for uclibc.
Sounds good, I created a PR to trigger CI for testing: https://github.com/gentoo/gentoo/pull/5004
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=529be4a42d75f06382a901cf12105802b2b28adf
sys-libs/uclibc has been removed from the tree,
