Bug 1684057 (CVE-2019-9169)

Summary: CVE-2019-9169 glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ashankar, codonell, dj, fweimer, glibc-bugzilla, himanshu.mishra, mnewsome, pfrankli, sardella, sipoyare, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glibc 2.30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-27 16:51:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1684058, 1685400, 1685401, 1936864, 1968665, 1968666, 1968667    
Bug Blocks: 1684060    

Description msiddiqu 2019-02-28 10:34:22 UTC 
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

Upstream patch:
https://github.com/clearlinux-pkgs/glibc/blob/master/CVE-2019-9169.patch
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9

References:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142
https://sourceware.org/bugzilla/show_bug.cgi?id=24114
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
https://www.securityfocus.com/bid/107160
Comment 1 msiddiqu 2019-02-28 10:34:35 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1684058]
Comment 3 Huzaifa S. Sidhpurwala 2019-03-05 06:26:32 UTC 
Can be reproduced by using the following:

echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'
Comment 6 Himanshu92 2020-04-01 08:52:37 UTC 
Hi,

For CVE-2019-9169-CVSS v3 Base Score-6.5 Will Not Fix 
We have applied and installed the following mentioned upstream patch with reference to Bugzilla-1684057 (RedHat support portal).

Upstream patch:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9

And tried to reproduce in accord with the information that is given in the RedHat support portal (https://bugzilla.redhat.com/show_bug.cgi?id=1684057). **We followed Huzaifa S. Sidhpurwala's comment**, The comment is as follows:

Huzaifa S. Sidhpurwala 2019-03-05 06:26:32 UTC
Can be reproduced by using the following:

echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'

Initially we were getting Segmentation fault (core dumped) and after reproducing also the same Segmentation fault (core dumped) is occurring so kindly provide your input(s) on it. 


For better understanding,I am mentioning below all the links which we used, once again. 

{Links:
1.https://bugzilla.redhat.com/show_bug.cgi?id=1684057 (**The comment that was followed to reproduced is also given at the end of this page only**)
2.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9
3.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9
4.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=ChangeLog;h=62d732e6e7f821ca80d00aa2bf64637ece7d849d;hp=05e13e65f02542813b275181a856178511d3e3b9;hb=583dd860d5b833037175247230a328f0050dbfe9;hpb=2bac7daa58da1a313bd452369b0508b31e146637
5.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=posix/regexec.c;h=084b1222d95b62eb2930166060174ef78cb74b02;hp=91d5a797b82e2679ceab74238416de06693e46ea;hb=583dd860d5b833037175247230a328f0050dbfe9;hpb=2bac7daa58da1a313bd452369b0508b31e146637

BR,
Himanshu
Comment 7 msiddiqu 2020-04-01 10:15:51 UTC 
(In reply to Himanshu92 from comment #6)
> Hi,
> 
> For CVE-2019-9169-CVSS v3 Base Score-6.5 Will Not Fix 
> We have applied and installed the following mentioned upstream patch with
> reference to Bugzilla-1684057 (RedHat support portal).
> 
> Upstream patch:
> 
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=583dd860d5b833037175247230a328f0050dbfe9
> 
> And tried to reproduce in accord with the information that is given in the
> RedHat support portal (https://bugzilla.redhat.com/show_bug.cgi?id=1684057).
> **We followed Huzaifa S. Sidhpurwala's comment**, The comment is as follows:
> 
> Huzaifa S. Sidhpurwala 2019-03-05 06:26:32 UTC
> Can be reproduced by using the following:
> 
> echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'
> 
> Initially we were getting Segmentation fault (core dumped) and after
> reproducing also the same Segmentation fault (core dumped) is occurring so
> kindly provide your input(s) on it. 
> 
> 
> For better understanding,I am mentioning below all the links which we used,
> once again. 
> 
> {Links:
> 1.https://bugzilla.redhat.com/show_bug.cgi?id=1684057 (**The comment that
> was followed to reproduced is also given at the end of this page only**)
> 2.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=583dd860d5b833037175247230a328f0050dbfe9
> 3.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=583dd860d5b833037175247230a328f0050dbfe9
> 4.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=ChangeLog;
> h=62d732e6e7f821ca80d00aa2bf64637ece7d849d;
> hp=05e13e65f02542813b275181a856178511d3e3b9;
> hb=583dd860d5b833037175247230a328f0050dbfe9;
> hpb=2bac7daa58da1a313bd452369b0508b31e146637
> 5.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=posix/regexec.c;
> h=084b1222d95b62eb2930166060174ef78cb74b02;
> hp=91d5a797b82e2679ceab74238416de06693e46ea;
> hb=583dd860d5b833037175247230a328f0050dbfe9;
> hpb=2bac7daa58da1a313bd452369b0508b31e146637
> 
> BR,
> Himanshu

Hi Himanshu, can you please take this to secalert ? We have a team that'll handle this query appropriately there. 

Thank you
Comment 9 Huzaifa S. Sidhpurwala 2021-01-27 16:53:54 UTC 
Statement:

As per upstream “resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs”. The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore upstream does not consider this bug as a security vulnerability. (https://sourceware.org/glibc/wiki/Security%20Exceptions)
Comment 10 Siddhesh Poyarekar 2021-03-03 17:38:17 UTC 
(In reply to Huzaifa S. Sidhpurwala from comment #3)
> Can be reproduced by using the following:
> 
> echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'

FTR, this does not reproduce the buffer overflow, it results in a stack overflow, which upstream treats as a regular bug and not a security issue.  The correct reproducer is the following:

printf xxxxxxxxxxxxxx |valgrind src/grep -i '\(\(\)*.\)*\1'

where valgrind shows the overread.  Please note however that untrusted regular expressions still remain a bad idea and should be avoided.
Comment 11 Siddhesh Poyarekar 2021-03-04 14:31:51 UTC 
Sorry, there's a typo in that reproducer; it should be:

printf xxxxxxxxxxxxxx | valgrind grep -i '\(\(\)*.\)*\1'

The upstream reproducer was based on a custom built grep but it's visible with system grep too.
Comment 12 errata-xmlrpc 2021-05-18 13:24:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1585 https://access.redhat.com/errata/RHSA-2021:1585