
CVE-2019-9169 GNU C library buffer over-read via case-insensitive regex match - DyslexicAtheist
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169
======
DyslexicAtheist
2009: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in
posix/regcomp.c misparses alternatives, which allows attackers to cause a
denial of service (assertion failure and application exit) or trigger an
incorrect result by attempting a regular-expression match.
[https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2009-5155](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2009-5155)

2018: In the GNU C Library (aka glibc or libc6) through 2.29,
check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as
demonstrated by '(\227|)(\\\1\\\1|t1|\\\\\2537)+' in grep.
[https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-2079...](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-20796)

