Bug 1684057 (CVE-2019-9169) - CVE-2019-9169 glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read
Summary: CVE-2019-9169 glibc: regular-expression match via proceed_next_node in posix/...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-9169
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1684058 1685400 1685401 1936864 1968665 1968666 1968667
Blocks: 1684060
TreeView+ depends on / blocked
 
Reported: 2019-02-28 10:34 UTC by msiddiqu
Modified: 2021-06-17 15:55 UTC (History)
11 users (show)

Fixed In Version: glibc 2.30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-27 16:51:22 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:1585 0 None None None 2021-06-17 15:55:11 UTC

Comment 1 msiddiqu 2019-02-28 10:34:35 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1684058]

Comment 3 Huzaifa S. Sidhpurwala 2019-03-05 06:26:32 UTC
Can be reproduced by using the following:

echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'

Comment 6 Himanshu92 2020-04-01 08:52:37 UTC
Hi,

For CVE-2019-9169-CVSS v3 Base Score-6.5 Will Not Fix 
We have applied and installed the following mentioned upstream patch with reference to Bugzilla-1684057 (RedHat support portal).

Upstream patch:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9

And tried to reproduce in accord with the information that is given in the RedHat support portal (https://bugzilla.redhat.com/show_bug.cgi?id=1684057). **We followed Huzaifa S. Sidhpurwala's comment**, The comment is as follows:

Huzaifa S. Sidhpurwala 2019-03-05 06:26:32 UTC
Can be reproduced by using the following:

echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'

Initially we were getting Segmentation fault (core dumped) and after reproducing also the same Segmentation fault (core dumped) is occurring so kindly provide your input(s) on it. 


For better understanding,I am mentioning below all the links which we used, once again. 

{Links:
1.https://bugzilla.redhat.com/show_bug.cgi?id=1684057 (**The comment that was followed to reproduced is also given at the end of this page only**)
2.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9
3.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9
4.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=ChangeLog;h=62d732e6e7f821ca80d00aa2bf64637ece7d849d;hp=05e13e65f02542813b275181a856178511d3e3b9;hb=583dd860d5b833037175247230a328f0050dbfe9;hpb=2bac7daa58da1a313bd452369b0508b31e146637
5.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=posix/regexec.c;h=084b1222d95b62eb2930166060174ef78cb74b02;hp=91d5a797b82e2679ceab74238416de06693e46ea;hb=583dd860d5b833037175247230a328f0050dbfe9;hpb=2bac7daa58da1a313bd452369b0508b31e146637

BR,
Himanshu

Comment 7 msiddiqu 2020-04-01 10:15:51 UTC
(In reply to Himanshu92 from comment #6)
> Hi,
> 
> For CVE-2019-9169-CVSS v3 Base Score-6.5 Will Not Fix 
> We have applied and installed the following mentioned upstream patch with
> reference to Bugzilla-1684057 (RedHat support portal).
> 
> Upstream patch:
> 
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=583dd860d5b833037175247230a328f0050dbfe9
> 
> And tried to reproduce in accord with the information that is given in the
> RedHat support portal (https://bugzilla.redhat.com/show_bug.cgi?id=1684057).
> **We followed Huzaifa S. Sidhpurwala's comment**, The comment is as follows:
> 
> Huzaifa S. Sidhpurwala 2019-03-05 06:26:32 UTC
> Can be reproduced by using the following:
> 
> echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'
> 
> Initially we were getting Segmentation fault (core dumped) and after
> reproducing also the same Segmentation fault (core dumped) is occurring so
> kindly provide your input(s) on it. 
> 
> 
> For better understanding,I am mentioning below all the links which we used,
> once again. 
> 
> {Links:
> 1.https://bugzilla.redhat.com/show_bug.cgi?id=1684057 (**The comment that
> was followed to reproduced is also given at the end of this page only**)
> 2.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=583dd860d5b833037175247230a328f0050dbfe9
> 3.https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=583dd860d5b833037175247230a328f0050dbfe9
> 4.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=ChangeLog;
> h=62d732e6e7f821ca80d00aa2bf64637ece7d849d;
> hp=05e13e65f02542813b275181a856178511d3e3b9;
> hb=583dd860d5b833037175247230a328f0050dbfe9;
> hpb=2bac7daa58da1a313bd452369b0508b31e146637
> 5.https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=posix/regexec.c;
> h=084b1222d95b62eb2930166060174ef78cb74b02;
> hp=91d5a797b82e2679ceab74238416de06693e46ea;
> hb=583dd860d5b833037175247230a328f0050dbfe9;
> hpb=2bac7daa58da1a313bd452369b0508b31e146637
> 
> BR,
> Himanshu

Hi Himanshu, can you please take this to secalert@redhat.com ? We have a team that'll handle this query appropriately there. 

Thank you

Comment 9 Huzaifa S. Sidhpurwala 2021-01-27 16:53:54 UTC
Statement:

As per upstream “resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs”. The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore upstream does not consider this bug as a security vulnerability. (https://sourceware.org/glibc/wiki/Security%20Exceptions)

Comment 10 Siddhesh Poyarekar 2021-03-03 17:38:17 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #3)
> Can be reproduced by using the following:
> 
> echo 0 | sed '/\(\)\(\1\(\)\1\(\)\)*/c0'

FTR, this does not reproduce the buffer overflow, it results in a stack overflow, which upstream treats as a regular bug and not a security issue.  The correct reproducer is the following:

printf xxxxxxxxxxxxxx |valgrind src/grep -i '\(\(\)*.\)*\1'

where valgrind shows the overread.  Please note however that untrusted regular expressions still remain a bad idea and should be avoided.

Comment 11 Siddhesh Poyarekar 2021-03-04 14:31:51 UTC
Sorry, there's a typo in that reproducer; it should be:

printf xxxxxxxxxxxxxx | valgrind grep -i '\(\(\)*.\)*\1'

The upstream reproducer was based on a custom built grep but it's visible with system grep too.

Comment 12 errata-xmlrpc 2021-05-18 13:24:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1585 https://access.redhat.com/errata/RHSA-2021:1585


Note You need to log in before you can comment on or make changes to this bug.