CVE-2013-0242

glibc: Buffer overrun (DoS) in regexp matcher by processing multibyte characters

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.

Desbordamiento de búfer en el metodo extend_buffers del comparador expresiónes regulares (posix / regexec.c) en glibc, posiblemente, v2.17 y anteriores, permite a atacantes dependientes de contexto provocar una denegación de servicio (corrupción de memoria y caída) mediante caracteres multibyte artesanales.

A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash.

It was discovered that the GNU C Library incorrectly handled the strcoll() function. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. It was discovered that the GNU C Library incorrectly handled multibyte characters in the regular expression matcher. An attacker could use this issue to cause a denial of service. It was discovered that the GNU C Library incorrectly handled large numbers of domain conversion results in the getaddrinfo() function. An attacker could use this issue to cause a denial of service. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-12-06 CVE Reserved
2013-02-08 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (17)

URL	Tag	Source
http://osvdb.org/89747	Vdb Entry
http://secunia.com/advisories/55113	Third Party Advisory
http://sourceware.org/ml/libc-alpha/2013-01/msg00967.html	Mailing List
http://www.openwall.com/lists/oss-security/2013/01/30/5	Mailing List
http://www.securityfocus.com/bid/57638	Vdb Entry
http://www.securitytracker.com/id/1028063	Vdb Entry
http://www.vmware.com/security/advisories/VMSA-2014-0008.html	X_refsource_confirm
https://exchange.xforce.ibmcloud.com/vulnerabilities/81707	Vdb Entry

URL	Date	SRC

URL	Date	SRC
http://sourceware.org/bugzilla/show_bug.cgi?id=15078	2017-08-29

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2013-0769.html	2017-08-29
http://rhn.redhat.com/errata/RHSA-2013-1605.html	2017-08-29
http://secunia.com/advisories/51951	2017-08-29
http://www.mandriva.com/security/advisories?name=MDVSA-2013:163	2017-08-29
http://www.ubuntu.com/usn/USN-1991-1	2017-08-29
https://security.gentoo.org/glsa/201503-04	2017-08-29
https://access.redhat.com/security/cve/CVE-2013-0242	2013-11-20
https://bugzilla.redhat.com/show_bug.cgi?id=905874	2013-11-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gnu Search vendor "Gnu"		Glibc Search vendor "Gnu" for product "Glibc"				2.17 Search vendor "Gnu" for product "Glibc" and version "2.17"		-		Affected