heap-based buffer over-read in glibc CVE-2019-9169 critical remote [released]

Tracked by Jolla (In release)

asked 2019-07-24 15:05:09 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2019-07-24 17:41:26 +0200

lpr gravatar image

(MER#2047)

https://nvd.nist.gov/vuln/detail/CVE-2019-9169

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. CVSS3_base_score: 9.8 critical

This CVE and CVE-2019-6488 CVE-2016-10739 CVE-2019-7309 and CVE-2018-19591 should be fixed through update glibc-2.28 vanilla to debian-glibc-2.28-10 .

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by lpr
close date 2019-12-13 00:00:15.432532

Comments

Thanks for reporting.

Sage ( 2019-07-24 15:30:16 +0200 )edit

@lpr released in SFOS 3.2.1.19 Nuuksio

lpr ( 2019-12-12 23:59:43 +0200 )edit