public inbox for glibc-bugs-regex@sourceware.org
help / color / mirror / Atom feed
* [Bug regex/12896] New: regexec() stack overflow denial of service
@ 2011-06-16 3:07 yangdingning at gmail dot com
2011-06-18 13:20 ` [Bug regex/12896] " bonzini at gnu dot org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: yangdingning at gmail dot com @ 2011-06-16 3:07 UTC (permalink / raw)
To: glibc-bugs-regex
http://sourceware.org/bugzilla/show_bug.cgi?id=12896
Summary: regexec() stack overflow denial of service
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: regex
AssignedTo: drepper.fsp@gmail.com
ReportedBy: yangdingning@gmail.com
An easy way to reproduce is:
$ echo | grep -E "(.*)\1{4}+"
Segmentation fault (core dumped)
$
This bug has been verified to exist in glibc 2.11.1 shipped with Ubuntu 10.04,
as well as the latest version from git repository. It may have security
implications as shown in the description of CVE-2010-4051 and CVE-2010-4052.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug regex/12896] regexec() stack overflow denial of service
2011-06-16 3:07 [Bug regex/12896] New: regexec() stack overflow denial of service yangdingning at gmail dot com
@ 2011-06-18 13:20 ` bonzini at gnu dot org
2014-06-13 10:56 ` fweimer at redhat dot com
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: bonzini at gnu dot org @ 2011-06-18 13:20 UTC (permalink / raw)
To: glibc-bugs-regex
http://sourceware.org/bugzilla/show_bug.cgi?id=12896
Paolo Bonzini <bonzini at gnu dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |bonzini at gnu dot org
Resolution| |INVALID
--- Comment #1 from Paolo Bonzini <bonzini at gnu dot org> 2011-06-18 13:20:13 UTC ---
This is not really a vulnerability in glibc; in various forms, it is common to
pretty much any regular expression engine.
In general, applications should not pass to regcomp regular expressions coming
from untrusted sources. The glibc implementations ensures that "good" regular
expressions, in particular not including very high repetition counts or
backreferences, do not cause anomalous stack usage in either regcomp or
regexec. This is usually a sufficient guarantee.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug regex/12896] regexec() stack overflow denial of service
2011-06-16 3:07 [Bug regex/12896] New: regexec() stack overflow denial of service yangdingning at gmail dot com
2011-06-18 13:20 ` [Bug regex/12896] " bonzini at gnu dot org
@ 2014-06-13 10:56 ` fweimer at redhat dot com
2014-06-19 14:45 ` fweimer at redhat dot com
2015-02-24 11:58 ` fweimer at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2014-06-13 10:56 UTC (permalink / raw)
To: glibc-bugs-regex
https://sourceware.org/bugzilla/show_bug.cgi?id=12896
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
CC| |fweimer at redhat dot com
Resolution|INVALID |---
Assignee|drepper.fsp at gmail dot com |unassigned at sourceware dot org
Flags| |security+
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Back references are impossible to implement efficiently, but the glibc
implementation should at least avoid a stack overflow.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug regex/12896] regexec() stack overflow denial of service
2011-06-16 3:07 [Bug regex/12896] New: regexec() stack overflow denial of service yangdingning at gmail dot com
2011-06-18 13:20 ` [Bug regex/12896] " bonzini at gnu dot org
2014-06-13 10:56 ` fweimer at redhat dot com
@ 2014-06-19 14:45 ` fweimer at redhat dot com
2015-02-24 11:58 ` fweimer at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2014-06-19 14:45 UTC (permalink / raw)
To: glibc-bugs-regex
https://sourceware.org/bugzilla/show_bug.cgi?id=12896
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=17070
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug regex/12896] regexec() stack overflow denial of service
2011-06-16 3:07 [Bug regex/12896] New: regexec() stack overflow denial of service yangdingning at gmail dot com
` (2 preceding siblings ...)
2014-06-19 14:45 ` fweimer at redhat dot com
@ 2015-02-24 11:58 ` fweimer at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2015-02-24 11:58 UTC (permalink / raw)
To: glibc-bugs-regex
https://sourceware.org/bugzilla/show_bug.cgi?id=12896
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|security+ |security-
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Flagging as security-, per the documented Security Exceptions for regcomp:
https://sourceware.org/glibc/wiki/Security%20Exceptions
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-02-24 11:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-06-16 3:07 [Bug regex/12896] New: regexec() stack overflow denial of service yangdingning at gmail dot com
2011-06-18 13:20 ` [Bug regex/12896] " bonzini at gnu dot org
2014-06-13 10:56 ` fweimer at redhat dot com
2014-06-19 14:45 ` fweimer at redhat dot com
2015-02-24 11:58 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).