In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
Created glibc tracking bugs for this issue:
Affects: fedora-28 [bug 1683684]
This issue was fixed in glibc-2.28
Created attachment 1544481 [details]
Backport of upstream commits fixing CVE-2009-5155
I believe I've successfully backported the two commits which makes it possible to fix this CVE for the glibc 2.17 of RHEL7.
Theses patches are rebased on top of the existing RHEL7 patches.
I'm uploading these here in case they'd be useful.
Created attachment 1544482 [details]
Backport of upstream commits fixing CVE-2009-5155 (patch 1/2)
Is there some reason why it has been nearly a year since there has been any progress toward releasing the fix for this issue for RHEL 7?