Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#63221 - [glibc] [Security] multiple issues (CVE-2019-9169 CVE-2019-5155 CVE-2018-20796 CVE-2016-10739)

Attached to Project: Arch Linux
Opened by Gabriel (Hotice321) - Wednesday, 17 July 2019, 22:22 GMT
Task Type Bug Report
Category Security
Status Unconfirmed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No
This task depends upon

Comment by loqs (loqs) - Wednesday, 17 July 2019, 23:42 GMT
How did you check the package was vulnerable for all four issues referenced in AVG-855?

current glib is using commit 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 [1]

CVE-2016-10739
git merge-base --is-ancestor 108bc4049f8ae82710aec26a92ffdb4b439c83fd 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
git merge-base --is-ancestor 6ca53a2453598804a2559a548a08424fca96434a 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
So fix has is present in current release

CVE-2018-20796
echo 0 | ./sed '/\(\)\(\1\(\)\1\(\)\)*/c0'
Segmentation fault (core dumped)
Issue still present

CVE-2019-5155
grep -E '0|()0|\1|0'
grep: Invalid back reference
Issue appears resolved

CVE-2019-9169
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4d0b1b0f61bfba034e9e76a1d76acc59c975238f was the cherry-pick of 583dd860d5b833037175247230a328f0050dbfe9
git merge-base --is-ancestor 4d0b1b0f61bfba034e9e76a1d76acc59c975238f 34fb5f61d3c3f4b8fc616ea259fa19168b58ecd4 && echo yes
yes
So fix has is present in current release

So from my analysis only CVE-2018-20796 is unaddressed.

[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc&id=784c29d8ac3d37ae420c82e075acbf842b6fa751#n17
Comment by Eli Schwartz (eschwartz) - Thursday, 18 July 2019, 05:04 GMT
And CVE-2018-20796 is supposedly an issue in gnulib, not glibc, so why is it even being reported or grouped in with the glibc bug?

Is it confirmed, or even researched, whether glibc has the same issue? Because the wondrous wonder of gnulib is that its whole purpose is to vendor bits of source code into lots and lots of projects (including glibc too, yes!) and even if gnulib fixes it, every program that uses regex functions from gnulib will need to be separately updated.

Loading...