public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug manual/25973] New: Document regex security posture in man page
@ 2020-05-11 15:49 dpmendenhall at gmail dot com
2020-05-11 15:59 ` [Bug manual/25973] " dpmendenhall at gmail dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: dpmendenhall at gmail dot com @ 2020-05-11 15:49 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25973
Bug ID: 25973
Summary: Document regex security posture in man page
Product: glibc
Version: 2.27
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: manual
Assignee: unassigned at sourceware dot org
Reporter: dpmendenhall at gmail dot com
CC: mtk.manpages at gmail dot com
Target Milestone: ---
https://sourceware.org/glibc/wiki/Security%20Exceptions states:
"Implementing regular expressions efficiently, in a standard-conforming way,
and without denial-of-service vulnerabilities is very difficult and impossible
for Basic Regular Expressions. Most implementation strategies have issues
dealing with certain classes of patterns.
Consequently, resource exhaustion issues which can be triggered only with
crafted patterns (either during compilation or execution) are not treated as
security bugs."
Fair enough, but it would be helpful for this to be clearly documented in the
man pages too, like regex(7). Currently there is only a subtle reference under
bugs which doesn't use the word 'security' at all:
"Back references are a dreadful botch, posing major problems for efficient
implementations. They are also somewhat vaguely defined (does
"a\(\(b\)*\2\)*d" match "abbbd"?). Avoid using them."
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug manual/25973] Document regex security posture in man page
2020-05-11 15:49 [Bug manual/25973] New: Document regex security posture in man page dpmendenhall at gmail dot com
@ 2020-05-11 15:59 ` dpmendenhall at gmail dot com
2020-05-11 15:59 ` dpmendenhall at gmail dot com
2020-05-11 17:04 ` schwab@linux-m68k.org
2 siblings, 0 replies; 4+ messages in thread
From: dpmendenhall at gmail dot com @ 2020-05-11 15:59 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25973
David Mendenhall <dpmendenhall at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from David Mendenhall <dpmendenhall at gmail dot com> ---
regex(7) owned by Linux man-pages, not glibc.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug manual/25973] Document regex security posture in man page
2020-05-11 15:49 [Bug manual/25973] New: Document regex security posture in man page dpmendenhall at gmail dot com
2020-05-11 15:59 ` [Bug manual/25973] " dpmendenhall at gmail dot com
@ 2020-05-11 15:59 ` dpmendenhall at gmail dot com
2020-05-11 17:04 ` schwab@linux-m68k.org
2 siblings, 0 replies; 4+ messages in thread
From: dpmendenhall at gmail dot com @ 2020-05-11 15:59 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25973
David Mendenhall <dpmendenhall at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |INVALID
--- Comment #2 from David Mendenhall <dpmendenhall at gmail dot com> ---
regex(7) owned by Linux man-pages, not glibc.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug manual/25973] Document regex security posture in man page
2020-05-11 15:49 [Bug manual/25973] New: Document regex security posture in man page dpmendenhall at gmail dot com
2020-05-11 15:59 ` [Bug manual/25973] " dpmendenhall at gmail dot com
2020-05-11 15:59 ` dpmendenhall at gmail dot com
@ 2020-05-11 17:04 ` schwab@linux-m68k.org
2 siblings, 0 replies; 4+ messages in thread
From: schwab@linux-m68k.org @ 2020-05-11 17:04 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25973
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |MOVED
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-11 17:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-11 15:49 [Bug manual/25973] New: Document regex security posture in man page dpmendenhall at gmail dot com
2020-05-11 15:59 ` [Bug manual/25973] " dpmendenhall at gmail dot com
2020-05-11 15:59 ` dpmendenhall at gmail dot com
2020-05-11 17:04 ` schwab@linux-m68k.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).