FS#63221 - [security] [glibc] multiple issues (CVE-2019-9169 CVE-2019-5155 CVE-2018-20796 CVE-2016-10739)
Attached to Project:
Arch Linux
Opened by Gabriel (Hotice321) - Wednesday, 17 July 2019, 22:22 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 16:11 GMT
Opened by Gabriel (Hotice321) - Wednesday, 17 July 2019, 22:22 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 16:11 GMT
This task depends upon
current glib is using commit 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 [1]
CVE-2016-10739
git merge-base --is-ancestor 108bc4049f8ae82710aec26a92ffdb4b439c83fd 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
git merge-base --is-ancestor 6ca53a2453598804a2559a548a08424fca96434a 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
So fix has is present in current release
CVE-2018-20796
echo 0 | ./sed '/\(\)\(\1\(\)\1\(\)\)*/c0'
Segmentation fault (core dumped)
Issue still present
CVE-2019-5155
grep -E '0|()0|\1|0'
grep: Invalid back reference
Issue appears resolved
CVE-2019-9169
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4d0b1b0f61bfba034e9e76a1d76acc59c975238f was the cherry-pick of 583dd860d5b833037175247230a328f0050dbfe9
git merge-base --is-ancestor 4d0b1b0f61bfba034e9e76a1d76acc59c975238f 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
So fix has is present in current release
So from my analysis only CVE-2018-20796 is unaddressed.
[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc&id=784c29d8ac3d37ae420c82e075acbf842b6fa751#n17
Is it confirmed, or even researched, whether glibc has the same issue? Because the wondrous wonder of gnulib is that its whole purpose is to vendor bits of source code into lots and lots of projects (including glibc too, yes!) and even if gnulib fixes it, every program that uses regex functions from gnulib will need to be separately updated.