[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: two (and a half) more crashes in regex module
From: |
Eduardo A . Bustamante López |
Subject: |
Re: two (and a half) more crashes in regex module |
Date: |
Thu, 13 Sep 2018 09:22:01 -0700 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Wed, Sep 12, 2018 at 09:23:54AM +0200, Tim Rühsen wrote:
(...)
> I stumbled upon the memory consumption (and slowness) a while ago, but
> it seems to be a well-known issue regarding
> https://sourceware.org/glibc/wiki/Security%20Exceptions.
>
> So, never accept regex patterns from untrusted sources.
The linked document says:
| Consequently, resource exhaustion issues which can be triggered only with
| crafted patterns (either during compilation or execution) are not treated as
| security bugs. **(This does not mean we do not intend to fix such issues as
| regular bugs if possible.)**
So I think it's worth reporting.
If the `regex' implementation of gnulib is the same as glibc, then I think this
report is related: https://sourceware.org/bugzilla/show_bug.cgi?id=20095