Bug 1683150 (CVE-2018-20796)

Summary: CVE-2018-20796 glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aoliva, arjun.is, ashankar, codonell, dj, fweimer, glibc-bugzilla, law, mfabian, mnewsome, pfrankli, rth, siddhesh, ulisesfonseca35
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:48:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1683153    
Bug Blocks: 1683152    

Description Dhananjay Arunesh 2019-02-26 10:47:05 UTC
In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.

Reference:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141

Comment 1 Dhananjay Arunesh 2019-02-26 10:49:10 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1683153]

Comment 2 Florian Weimer 2019-02-26 11:00:38 UTC
The regular expression compiler in glibc is only supposed to be exposed to trusted content, so this is not a security vulnerability:

“resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs”

<https://sourceware.org/glibc/wiki/Security%20Exceptions>

Comment 3 Huzaifa S. Sidhpurwala 2019-03-06 05:41:51 UTC
Statement:

The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore this flaw is not classified as a security vulnerability.

Comment 4 ulisesfonseca35 2022-05-04 15:02:41 UTC
(In reply to Florian Weimer from comment #2)
> The regular expression compiler in glibc is only supposed to be exposed to
> trusted content, so this is not a security vulnerability:
> 
> “resource exhaustion issues which can be triggered only with crafted
> patterns (either during compilation or execution) are not treated as
> security bugs”
> 
> <https://sourceware.org/glibc/wiki/Security%20Exceptions>

Hi Florian,

I'd like to know a bit about how the compiler in glibc is only supposed to be exposed to trusted content, what does "trusted content" mean?

This vulnerability is related to stack overflows due to recursion when processing patterns, according to the "Security Exceptions" document, this issue should be treated as a normal bug rather than a security issue.

I have 2 questions,

1.- Why is this specific condition “Stack overflow due to recursion when processing patterns” not considered a security problem?
2.- How does the compiler in glibc (which part of the source code) evaluate the "trusted content" helping to avoid stack overflows due to recursion when processing patterns?