Re: two (and a half) more crashes in regex module

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: two (and a half) more crashes in regex module

From:	Eduardo A . Bustamante López
Subject:	Re: two (and a half) more crashes in regex module
Date:	Thu, 13 Sep 2018 09:22:01 -0700
User-agent:	Mutt/1.10.1 (2018-07-13)

On Wed, Sep 12, 2018 at 09:23:54AM +0200, Tim Rühsen wrote:
(...)
> I stumbled upon the memory consumption (and slowness) a while ago, but
> it seems to be a well-known issue regarding
> https://sourceware.org/glibc/wiki/Security%20Exceptions.
> 
> So, never accept regex patterns from untrusted sources.

The linked document says:

| Consequently, resource exhaustion issues which can be triggered only with
| crafted patterns (either during compilation or execution) are not treated as
| security bugs. **(This does not mean we do not intend to fix such issues as
| regular bugs if possible.)**

So I think it's worth reporting.

If the `regex' implementation of gnulib is the same as glibc, then I think this
report is related: https://sourceware.org/bugzilla/show_bug.cgi?id=20095

[Prev in Thread]

Current Thread

[Next in Thread]

two (and a half) more crashes in regex module, Assaf Gordon, 2018/09/12
- Re: two (and a half) more crashes in regex module, Tim Rühsen, 2018/09/12
  - Re: two (and a half) more crashes in regex module, Eduardo A . Bustamante López <=
    - Re: two (and a half) more crashes in regex module, Tim Rühsen, 2018/09/14
- Re: two (and a half) more crashes in regex module, Assaf Gordon, 2018/09/18
  - Re: two (and a half) more crashes in regex module, Jim Meyering, 2018/09/18

Prev by Date: Re: glibc strstr regression
Next by Date: (Slightly) broken html doc
Previous by thread: Re: two (and a half) more crashes in regex module
Next by thread: Re: two (and a half) more crashes in regex module
Index(es):
- Date
- Thread