FS#63221 : [security] [glibc] multiple issues (CVE-2019-9169 CVE-2019-5155 CVE-2018-20796 CVE-2016-10739)

FS#63221 - [security] [glibc] multiple issues (CVE-2019-9169 CVE-2019-5155 CVE-2018-20796 CVE-2016-10739)

Attached to Project: Arch Linux
Opened by Gabriel (Hotice321) - Wednesday, 17 July 2019, 22:22 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 16:11 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Bartłomiej Piotrowski (Barthalion) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Summary
=======

The package glibc is vulnerable to multiple issues including arbitrary code execution, denial of service and open redirect via CVE-2019-9169, CVE-2019-5155, CVE-2018-20796 and CVE-2016-10739.

Guidance
========

<give a short guidance for the maintainer.. what shall he/she do? include a patch? Just upgrade?>

References
==========

https://security.archlinux.org/AVG-855
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=583dd860d5b833037175247230a328f0050dbfe9
https://sourceware.org/bugzilla/show_bug.cgi?id=24114
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21513
http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272
https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
https://bugzilla.redhat.com/show_bug.cgi?id=1347549
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd he should be serious about what he do

This task depends upon

Closed by freswa (frederik)
Sunday, 13 September 2020, 16:11 GMT
Reason for closing: Not a bug

Comment by loqs (loqs) - Wednesday, 17 July 2019, 23:42 GMT

How did you check the package was vulnerable for all four issues referenced in AVG-855?

current glib is using commit 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 [1]

CVE-2016-10739
git merge-base --is-ancestor 108bc4049f8ae82710aec26a92ffdb4b439c83fd 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
git merge-base --is-ancestor 6ca53a2453598804a2559a548a08424fca96434a 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
So fix has is present in current release

CVE-2018-20796
echo 0 | ./sed '/\(\)\(\1\(\)\1\(\)\)*/c0'
Segmentation fault (core dumped)
Issue still present

CVE-2019-5155
grep -E '0|()0|\1|0'
grep: Invalid back reference
Issue appears resolved

CVE-2019-9169
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4d0b1b0f61bfba034e9e76a1d76acc59c975238f was the cherry-pick of 583dd860d5b833037175247230a328f0050dbfe9
git merge-base --is-ancestor 4d0b1b0f61bfba034e9e76a1d76acc59c975238f 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
So fix has is present in current release

So from my analysis only CVE-2018-20796 is unaddressed.

[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc&id=784c29d8ac3d37ae420c82e075acbf842b6fa751#n17

Comment by Eli Schwartz (eschwartz) - Thursday, 18 July 2019, 05:04 GMT

And CVE-2018-20796 is supposedly an issue in gnulib, not glibc, so why is it even being reported or grouped in with the glibc bug?

Is it confirmed, or even researched, whether glibc has the same issue? Because the wondrous wonder of gnulib is that its whole purpose is to vendor bits of source code into lots and lots of projects (including glibc too, yes!) and even if gnulib fixes it, every program that uses regex functions from gnulib will need to be separately updated.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#63221 - [security] [glibc] multiple issues (CVE-2019-9169 CVE-2019-5155 CVE-2018-20796 CVE-2016-10739)

Details

Loading...