[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: two (and a half) more crashes in regex module

From: Eduardo A . Bustamante López
Subject: Re: two (and a half) more crashes in regex module
Date: Thu, 13 Sep 2018 09:22:01 -0700
User-agent: Mutt/1.10.1 (2018-07-13)

On Wed, Sep 12, 2018 at 09:23:54AM +0200, Tim Rühsen wrote:
> I stumbled upon the memory consumption (and slowness) a while ago, but
> it seems to be a well-known issue regarding
> https://sourceware.org/glibc/wiki/Security%20Exceptions.
> So, never accept regex patterns from untrusted sources.

The linked document says:

| Consequently, resource exhaustion issues which can be triggered only with
| crafted patterns (either during compilation or execution) are not treated as
| security bugs. **(This does not mean we do not intend to fix such issues as
| regular bugs if possible.)**

So I think it's worth reporting.

If the `regex' implementation of gnulib is the same as glibc, then I think this
report is related: https://sourceware.org/bugzilla/show_bug.cgi?id=20095

reply via email to

[Prev in Thread] Current Thread [Next in Thread]