GNU C Library "regcomp()" Stack Overflow Denial of Service

by Carol~ Moderator - 12/8/10 12:50 PM

In Reply to: VULNERABILITIES / FIXES - December 08, 2010 by Carol~ Moderator

Release Date : 2010-12-08

Criticality level : Not critical
Impact: DoS
Where : From remote
Solution Status : Unpatched

Software: GNU C Library (glibc) 2.x

A vulnerability has been discovered in the GNU C Library, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a stack overflow within the implementation of the "regcomp()" function when processing certain regular expressions, which can be exploited to cause a crash in an application using this function on specially crafted regular expressions.

The vulnerability is confirmed in version 2.12.1. Other versions may also be affected.

Do not use the "regcomp()" function on untrusted input.

Provided and/or discovered by:
US-CERT credits Maksymilian Arciemowicz.

Original Advisory:
US-CERT VU#912279: