CVE-2010-4051

Name	CVE-2010-4051
Description	The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow."
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severity	medium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
eglibc (PTS)	wheezy	2.13-38+deb7u10	vulnerable
	wheezy (security)	2.13-38+deb7u12	vulnerable
glibc (PTS)	jessie	2.19-18+deb8u9	vulnerable
	jessie (security)	2.19-18+deb8u10	vulnerable
	stretch	2.24-11	vulnerable
	stretch (security)	2.24-11+deb9u1	vulnerable
	buster, sid	2.24-12	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
eglibc	source	(unstable)	(unfixed)	unimportant
glibc	source	(unstable)	(unfixed)	unimportant

Notes

Deficiency in the regexp engine of glibc, while there implementations which
process such expressions more efficiently, imposing a limit lies within
the application accepting it from user input