From ${URL} : In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep. Reference: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 END Disclaimer: the comment from Florian Weimer says: the regular expression compiler in glibc is only supposed to be exposed to trusted content, so this is not a security vulnerability: “resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs” <https://sourceware.org/glibc/wiki/Security%20Exceptions> So since there is already a CVE, and since glibc is an important package, let's track it for now.. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
> Disclaimer: > the comment from Florian Weimer says: > the regular expression compiler in glibc is only supposed to be exposed to > trusted content, so this is not a security vulnerability: > “resource exhaustion issues which can be triggered only with crafted > patterns (either during compilation or execution) are not treated as > security bugs” > <https://sourceware.org/glibc/wiki/Security%20Exceptions> > > > So since there is already a CVE, and since glibc is an important package, > let's track it for now.. What's the point of tracking it, if upstream says it's not a bug and noone will ever do anything about it?
As per Upstream and Red Hat . Statement: The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore this flaw is not classified as a security vulnerability. Closing bug no reason to track.