Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20170209184530.darj47kpt4sg3mrw@jwilk.net>
Date: Thu, 9 Feb 2017 19:45:30 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple DoS parsing and executing extended regex
 expressions in GNU libc

* Gustavo Grieco <gustavo.grieco@...il.com>, 2017-02-09, 14:24:
>We found a few extended regex expressions in GNU libc that will crash or abort 
>the execution of regcomp or regexec. For instance:
>
>\a?{1,32767}
>
>will immediately exhaust the stack calling calc_eclosure_iter in the 
>compilation.

FWIW, glibc's policy seems to be that DoS via crafted regexp is not considered 
a security problem: https://sourceware.org/glibc/wiki/Security%20Exceptions

"[...] resource exhaustion issues which can be triggered only with crafted 
patterns (either during compilation or execution) are not treated as security 
bugs. (This does not mean we do not intend to fix such issues as regular bugs 
if possible.)

However, during execution, crashes, infinite loops, buffer overflows and 
reading past buffers (read-only buffer overruns), memory leaks and other, 
similar bugs should be treated as security vulnerabilities, assuming that the 
pattern is trusted and reasonably structured."

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.