|
From: | Paul Eggert |
Subject: | Re: Report 3 bugs discoverd in gawk involving gnulib |
Date: | Wed, 3 Aug 2022 09:06:58 -0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 |
On 8/3/22 02:38, YU Jiongchi wrote:
Greetings, I have found 3 different stack overflow vulnerabilities in gawk. The developer mentioned that these bugs come from the gnulibs. The bugs report and POC files are attached in the attachment. Please feel free to contact me.
Yes, this sort of problem is well-known. On most platforms these days the stack overflow is detected and the program aborted. On the remaining platforms the answer is "Don't do that", i.e., don't give potential attackers control of regular expressions that might cause excessive stack growth.
[Prev in Thread] | Current Thread | [Next in Thread] |