In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. Upstream patch: https://github.com/clearlinux-pkgs/glibc/blob/master/CVE-2019-9169.patch https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9 References: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142 https://sourceware.org/bugzilla/show_bug.cgi?id=24114 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html https://www.securityfocus.com/bid/107160
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1684058]
Can be reproduced by using the following: echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'
Hi, For CVE-2019-9169-CVSS v3 Base Score-6.5 Will Not Fix We have applied and installed the following mentioned upstream patch with reference to Bugzilla-1684057 (RedHat support portal). Upstream patch: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9 And tried to reproduce in accord with the information that is given in the RedHat support portal (https://bugzilla.redhat.com/show_bug.cgi?id=1684057). **We followed Huzaifa S. Sidhpurwala's comment**, The comment is as follows: Huzaifa S. Sidhpurwala 2019-03-05 06:26:32 UTC Can be reproduced by using the following: echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0' Initially we were getting Segmentation fault (core dumped) and after reproducing also the same Segmentation fault (core dumped) is occurring so kindly provide your input(s) on it. For better understanding,I am mentioning below all the links which we used, once again. {Links: 1.https://bugzilla.redhat.com/show_bug.cgi?id=1684057 (**The comment that was followed to reproduced is also given at the end of this page only**) 2.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9 3.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9 4.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=ChangeLog;h=62d732e6e7f821ca80d00aa2bf64637ece7d849d;hp=05e13e65f02542813b275181a856178511d3e3b9;hb=583dd860d5b833037175247230a328f0050dbfe9;hpb=2bac7daa58da1a313bd452369b0508b31e146637 5.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=posix/regexec.c;h=084b1222d95b62eb2930166060174ef78cb74b02;hp=91d5a797b82e2679ceab74238416de06693e46ea;hb=583dd860d5b833037175247230a328f0050dbfe9;hpb=2bac7daa58da1a313bd452369b0508b31e146637 BR, Himanshu
(In reply to Himanshu92 from comment #6) > Hi, > > For CVE-2019-9169-CVSS v3 Base Score-6.5 Will Not Fix > We have applied and installed the following mentioned upstream patch with > reference to Bugzilla-1684057 (RedHat support portal). > > Upstream patch: > > https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit; > h=583dd860d5b833037175247230a328f0050dbfe9 > > And tried to reproduce in accord with the information that is given in the > RedHat support portal (https://bugzilla.redhat.com/show_bug.cgi?id=1684057). > **We followed Huzaifa S. Sidhpurwala's comment**, The comment is as follows: > > Huzaifa S. Sidhpurwala 2019-03-05 06:26:32 UTC > Can be reproduced by using the following: > > echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0' > > Initially we were getting Segmentation fault (core dumped) and after > reproducing also the same Segmentation fault (core dumped) is occurring so > kindly provide your input(s) on it. > > > For better understanding,I am mentioning below all the links which we used, > once again. > > {Links: > 1.https://bugzilla.redhat.com/show_bug.cgi?id=1684057 (**The comment that > was followed to reproduced is also given at the end of this page only**) > 2.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit; > h=583dd860d5b833037175247230a328f0050dbfe9 > 3.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit; > h=583dd860d5b833037175247230a328f0050dbfe9 > 4.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=ChangeLog; > h=62d732e6e7f821ca80d00aa2bf64637ece7d849d; > hp=05e13e65f02542813b275181a856178511d3e3b9; > hb=583dd860d5b833037175247230a328f0050dbfe9; > hpb=2bac7daa58da1a313bd452369b0508b31e146637 > 5.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=posix/regexec.c; > h=084b1222d95b62eb2930166060174ef78cb74b02; > hp=91d5a797b82e2679ceab74238416de06693e46ea; > hb=583dd860d5b833037175247230a328f0050dbfe9; > hpb=2bac7daa58da1a313bd452369b0508b31e146637 > > BR, > Himanshu Hi Himanshu, can you please take this to secalert ? We have a team that'll handle this query appropriately there. Thank you
Statement: As per upstream “resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs”. The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore upstream does not consider this bug as a security vulnerability. (https://sourceware.org/glibc/wiki/Security%20Exceptions)
(In reply to Huzaifa S. Sidhpurwala from comment #3) > Can be reproduced by using the following: > > echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0' FTR, this does not reproduce the buffer overflow, it results in a stack overflow, which upstream treats as a regular bug and not a security issue. The correct reproducer is the following: printf xxxxxxxxxxxxxx |valgrind src/grep -i '\(\(\)*.\)*\1' where valgrind shows the overread. Please note however that untrusted regular expressions still remain a bad idea and should be avoided.
Sorry, there's a typo in that reproducer; it should be: printf xxxxxxxxxxxxxx | valgrind grep -i '\(\(\)*.\)*\1' The upstream reproducer was based on a custom built grep but it's visible with system grep too.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1585 https://access.redhat.com/errata/RHSA-2021:1585