FS#63221 - [security] [glibc] multiple issues (CVE-2019-9169 CVE-2019-5155 CVE-2018-20796 CVE-2016-10739)

Attached to Project: Arch Linux
Opened by Gabriel (Hotice321) - Wednesday, 17 July 2019, 22:22 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 16:11 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Bartłomiej Piotrowski (Barthalion)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No
This task depends upon

Closed by  freswa (frederik)
Sunday, 13 September 2020, 16:11 GMT
Reason for closing:  Not a bug
Comment by loqs (loqs) - Wednesday, 17 July 2019, 23:42 GMT
How did you check the package was vulnerable for all four issues referenced in AVG-855?

current glib is using commit 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 [1]

git merge-base --is-ancestor 108bc4049f8ae82710aec26a92ffdb4b439c83fd 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
git merge-base --is-ancestor 6ca53a2453598804a2559a548a08424fca96434a 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
So fix has is present in current release

echo 0 | ./sed '/\(\)\(\1\(\)\1\(\)\)*/c0'
Segmentation fault (core dumped)
Issue still present

grep -E '0|()0|\1|0'
grep: Invalid back reference
Issue appears resolved

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4d0b1b0f61bfba034e9e76a1d76acc59c975238f was the cherry-pick of 583dd860d5b833037175247230a328f0050dbfe9
git merge-base --is-ancestor 4d0b1b0f61bfba034e9e76a1d76acc59c975238f 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
So fix has is present in current release

So from my analysis only CVE-2018-20796 is unaddressed.

[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc&id=784c29d8ac3d37ae420c82e075acbf842b6fa751#n17
Comment by Eli Schwartz (eschwartz) - Thursday, 18 July 2019, 05:04 GMT
And CVE-2018-20796 is supposedly an issue in gnulib, not glibc, so why is it even being reported or grouped in with the glibc bug?

Is it confirmed, or even researched, whether glibc has the same issue? Because the wondrous wonder of gnulib is that its whole purpose is to vendor bits of source code into lots and lots of projects (including glibc too, yes!) and even if gnulib fixes it, every program that uses regex functions from gnulib will need to be separately updated.