From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14628 invoked by alias); 18 Jun 2011 13:20:30 -0000 Received: (qmail 14620 invoked by uid 22791); 18 Jun 2011 13:20:29 -0000 X-SWARE-Spam-Status: No, hits=-2.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,TW_EG X-Spam-Check-By: sourceware.org Received: from localhost (HELO sourceware.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sat, 18 Jun 2011 13:20:16 +0000 From: "bonzini at gnu dot org" To: glibc-bugs-regex@sources.redhat.com Subject: [Bug regex/12896] regexec() stack overflow denial of service X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bonzini at gnu dot org X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: drepper.fsp at gmail dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Status CC Resolution Message-ID: In-Reply-To: References: X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Sat, 18 Jun 2011 13:20:00 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org X-SW-Source: 2011-06/txt/msg00004.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=12896 Paolo Bonzini changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |bonzini at gnu dot org Resolution| |INVALID --- Comment #1 from Paolo Bonzini 2011-06-18 13:20:13 UTC --- This is not really a vulnerability in glibc; in various forms, it is common to pretty much any regular expression engine. In general, applications should not pass to regcomp regular expressions coming from untrusted sources. The glibc implementations ensures that "good" regular expressions, in particular not including very high repetition counts or backreferences, do not cause anomalous stack usage in either regcomp or regexec. This is usually a sufficient guarantee. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.