Bug 1683150 (CVE-2018-20796) - CVE-2018-20796 glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c
Summary: CVE-2018-20796 glibc: uncontrolled recursion in function check_dst_limits_cal...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-20796
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1683153
Blocks: 1683152
TreeView+ depends on / blocked
 
Reported: 2019-02-26 10:47 UTC by Dhananjay Arunesh
Modified: 2022-05-04 15:02 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:48:50 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-02-26 10:47:05 UTC
In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.

Reference:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141

Comment 1 Dhananjay Arunesh 2019-02-26 10:49:10 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1683153]

Comment 2 Florian Weimer 2019-02-26 11:00:38 UTC
The regular expression compiler in glibc is only supposed to be exposed to trusted content, so this is not a security vulnerability:

“resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs”

<https://sourceware.org/glibc/wiki/Security%20Exceptions>

Comment 3 Huzaifa S. Sidhpurwala 2019-03-06 05:41:51 UTC
Statement:

The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore this flaw is not classified as a security vulnerability.

Comment 4 ulisesfonseca35 2022-05-04 15:02:41 UTC
(In reply to Florian Weimer from comment #2)
> The regular expression compiler in glibc is only supposed to be exposed to
> trusted content, so this is not a security vulnerability:
> 
> “resource exhaustion issues which can be triggered only with crafted
> patterns (either during compilation or execution) are not treated as
> security bugs”
> 
> <https://sourceware.org/glibc/wiki/Security%20Exceptions>

Hi Florian,

I'd like to know a bit about how the compiler in glibc is only supposed to be exposed to trusted content, what does "trusted content" mean?

This vulnerability is related to stack overflows due to recursion when processing patterns, according to the "Security Exceptions" document, this issue should be treated as a normal bug rather than a security issue.

I have 2 questions,

1.- Why is this specific condition “Stack overflow due to recursion when processing patterns” not considered a security problem?
2.- How does the compiler in glibc (which part of the source code) evaluate the "trusted content" helping to avoid stack overflows due to recursion when processing patterns?


Note You need to log in before you can comment on or make changes to this bug.