Описание
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
Отчет
As per upstream “resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs”. The regular expression compiler in glibc is only supposed to be exposed to trusted content, therefore upstream does not consider this bug as a security vulnerability. (https://sourceware.org/glibc/wiki/Security%20Exceptions)
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | glibc | Will not fix | ||
| Red Hat Enterprise Linux 6 | glibc | Will not fix | ||
| Red Hat Enterprise Linux 7 | glibc | Will not fix | ||
| Red Hat Enterprise Linux 8 | glibc | Fixed | RHSA-2021:1585 | 18.05.2021 |
| Red Hat Enterprise Linux 8 | glibc | Fixed | RHSA-2021:1585 | 18.05.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_n ...
EPSS
6.5 Medium
CVSS3