[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: two (and a half) more crashes in regex module

From: Tim Rühsen
Subject: Re: two (and a half) more crashes in regex module
Date: Fri, 14 Sep 2018 10:00:06 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0

On 9/13/18 6:22 PM, Eduardo A. Bustamante López wrote:
> On Wed, Sep 12, 2018 at 09:23:54AM +0200, Tim Rühsen wrote:
> (...)
>> I stumbled upon the memory consumption (and slowness) a while ago, but
>> it seems to be a well-known issue regarding
>> https://sourceware.org/glibc/wiki/Security%20Exceptions.
>> So, never accept regex patterns from untrusted sources.
> The linked document says:
> | Consequently, resource exhaustion issues which can be triggered only with
> | crafted patterns (either during compilation or execution) are not treated as
> | security bugs. **(This does not mean we do not intend to fix such issues as
> | regular bugs if possible.)**
> So I think it's worth reporting.
> If the `regex' implementation of gnulib is the same as glibc, then I think 
> this
> report is related: https://sourceware.org/bugzilla/show_bug.cgi?id=20095

Of course it is worth reporting if it hasn't already been reported.

A while ago I fuzzed the command line options of wget/wget2 and since
there are two that take regex patterns, I quickly ran into the OOM/abort
situation, as well as experiencing extrem slowness. And that even for
short regex patterns that didn't look too weird.

I don't have the links at hand, but I remember several similar issues
been reported at sourceware.org/bugzilla. At least one of it had a
comment linking to the 'Security Exceptions' page, also saying that is
expected behavior, wontfix etc. I took that as 'official' statement to
that group of regex issues.

Since then I exclude regcomp()/regexec() from fuzzing :-(

Apart from that, I consider Assaf's other findings to be real bugs that
needs to be reported/fixed.

Regards, Tim

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]