Bug 1127223 - (CVE-2009-5155) VUL-1: CVE-2009-5155: glibc: parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service
(CVE-2009-5155)
VUL-1: CVE-2009-5155: glibc: parse_reg_exp in posix/regcomp.c misparses alter...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/225350/
CVSSv3:SUSE:CVE-2009-5155:4.0:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-27 15:34 UTC by Robert Frohl
Modified: 2020-06-10 07:59 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-02-27 15:34:02 UTC
CVE-2009-5155

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in
posix/regcomp.c misparses alternatives, which allows attackers to cause a denial
of service (assertion failure and application exit) or trigger an incorrect
result by attempting a regular-expression match.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5155
https://sourceware.org/bugzilla/show_bug.cgi?id=18986
https://sourceware.org/bugzilla/show_bug.cgi?id=11053
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793
http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806
Comment 7 Swamp Workflow Management 2019-04-30 13:10:04 UTC
SUSE-SU-2019:1102-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1100396,1110661,1122729,1127223,1127308,1128574,1131994
CVE References: CVE-2009-5155,CVE-2016-10739,CVE-2019-9169
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    glibc-2.22-100.8.1
SUSE Linux Enterprise Server 12-SP4 (src):    glibc-2.22-100.8.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    glibc-2.22-100.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-06-26 10:42:10 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-07-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64309
Comment 15 Swamp Workflow Management 2019-07-18 12:58:58 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-08-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64325
Comment 16 Swamp Workflow Management 2019-07-18 13:13:46 UTC
SUSE-SU-2019:1877-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1117993,1123710,1127223,1127308,1131330
CVE References: CVE-2009-5155,CVE-2019-9169
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    glibc-2.26-13.24.1, glibc-utils-src-2.26-13.24.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    glibc-2.26-13.24.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    glibc-2.26-13.24.1, glibc-utils-src-2.26-13.24.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    glibc-2.26-13.24.1, glibc-utils-src-2.26-13.24.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    glibc-2.26-13.24.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    glibc-2.26-13.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-07-23 16:13:09 UTC
SUSE-SU-2019:1958-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1127223,1127308,1128574
CVE References: CVE-2009-5155,CVE-2019-9169
Sources used:
SUSE OpenStack Cloud 8 (src):    glibc-2.22-62.22.5
SUSE OpenStack Cloud 7 (src):    glibc-2.22-62.22.5
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    glibc-2.22-62.22.5
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    glibc-2.22-62.22.5
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    glibc-2.22-62.22.5
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    glibc-2.22-62.22.5
SUSE Linux Enterprise Server 12-SP2-BCL (src):    glibc-2.22-62.22.5
SUSE Enterprise Storage 5 (src):    glibc-2.22-62.22.5
SUSE Enterprise Storage 4 (src):    glibc-2.22-62.22.5
SUSE CaaS Platform 3.0 (src):    glibc-2.22-62.22.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-08-16 22:14:08 UTC
SUSE-SU-2019:1958-2: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1127223,1127308,1128574
CVE References: CVE-2009-5155,CVE-2019-9169
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    glibc-2.22-62.22.5
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    glibc-2.22-62.22.5
SUSE Linux Enterprise Server 12-SP3-BCL (src):    glibc-2.22-62.22.5
SUSE Enterprise Storage 5 (src):    glibc-2.22-62.22.5
HPE Helion Openstack 8 (src):    glibc-2.22-62.22.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.