Bug 1683150 (CVE-2018-20796)
Summary: | CVE-2018-20796 glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aoliva, arjun.is, ashankar, codonell, dj, fweimer, glibc-bugzilla, law, mfabian, mnewsome, pfrankli, rth, siddhesh, ulisesfonseca35 |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:48:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1683153 | ||
Bug Blocks: | 1683152 |
Description
Dhananjay Arunesh
2019-02-26 10:47:05 UTC
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1683153] The regular expression compiler in glibc is only supposed to be exposed to trusted content, so this is not a security vulnerability: “resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs” <https://sourceware.org/glibc/wiki/Security%20Exceptions> Statement: The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore this flaw is not classified as a security vulnerability. (In reply to Florian Weimer from comment #2) > The regular expression compiler in glibc is only supposed to be exposed to > trusted content, so this is not a security vulnerability: > > “resource exhaustion issues which can be triggered only with crafted > patterns (either during compilation or execution) are not treated as > security bugs” > > <https://sourceware.org/glibc/wiki/Security%20Exceptions> Hi Florian, I'd like to know a bit about how the compiler in glibc is only supposed to be exposed to trusted content, what does "trusted content" mean? This vulnerability is related to stack overflows due to recursion when processing patterns, according to the "Security Exceptions" document, this issue should be treated as a normal bug rather than a security issue. I have 2 questions, 1.- Why is this specific condition “Stack overflow due to recursion when processing patterns” not considered a security problem? 2.- How does the compiler in glibc (which part of the source code) evaluate the "trusted content" helping to avoid stack overflows due to recursion when processing patterns? |