Bug 1044858 (CVE-2017-9729)

Summary: VUL-1: CVE-2017-9729: uClibc: Stack exhaustion (uncontrolled recursion) in thecheck_dst_limits_calc_pos_1
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 42.2   
URL: https://smash.suse.de/issue/187012/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-06-19 06:57:27 UTC
CVE-2017-9729

In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) in the
check_dst_limits_calc_pos_1 function in misc/regex/regexec.c when processing a
crafted regular expression.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9729
http://www.cvedetails.com/cve/CVE-2017-9729/
Comment 1 Ismail Dönmez 2017-08-02 10:56:56 UTC
I am not the maintainer and this package should be dropped from 42.2, already removed from TW.
Comment 2 Bernhard Wiedemann 2017-08-02 14:01:47 UTC
This is an autogenerated message for OBS integration:
This bug (1044858) was mentioned in
https://build.opensuse.org/request/show/514039 42.3 / lifecycle-data
Comment 3 Bernhard Wiedemann 2017-08-03 08:00:22 UTC
This is an autogenerated message for OBS integration:
This bug (1044858) was mentioned in
https://build.opensuse.org/request/show/514155 42.3 / lifecycle-data
Comment 4 Andreas Stieger 2017-08-03 08:45:50 UTC
No maintainer, deprecated upstream.
Marked as deprecated in 42.3 lifecycle data.
Comment 5 Bernhard Wiedemann 2017-08-03 10:01:06 UTC
This is an autogenerated message for OBS integration:
This bug (1044858) was mentioned in
https://build.opensuse.org/request/show/514160 42.3 / lifecycle-data