In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. Upstream commit: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272 https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672 References: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238 https://sourceware.org/bugzilla/show_bug.cgi?id=11053 https://sourceware.org/bugzilla/show_bug.cgi?id=18986 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793
Created glibc tracking bugs for this issue: Affects: fedora-28 [bug 1683684]
This issue was fixed in glibc-2.28
Created attachment 1544481 [details] Backport of upstream commits fixing CVE-2009-5155 I believe I've successfully backported the two commits which makes it possible to fix this CVE for the glibc 2.17 of RHEL7. Theses patches are rebased on top of the existing RHEL7 patches. I'm uploading these here in case they'd be useful. Maxim
Created attachment 1544482 [details] Backport of upstream commits fixing CVE-2009-5155 (patch 1/2)
Is there some reason why it has been nearly a year since there has been any progress toward releasing the fix for this issue for RHEL 7?