On Wed, Sep 12, 2018 at 09:23:54AM +0200, Tim Rühsen wrote: (...) > I stumbled upon the memory consumption (and slowness) a while ago, but > it seems to be a well-known issue regarding > https://sourceware.org/glibc/wiki/Security%20Exceptions. > > So, never accept regex patterns from untrusted sources.
The linked document says: | Consequently, resource exhaustion issues which can be triggered only with | crafted patterns (either during compilation or execution) are not treated as | security bugs. **(This does not mean we do not intend to fix such issues as | regular bugs if possible.)** So I think it's worth reporting. If the `regex' implementation of gnulib is the same as glibc, then I think this report is related: https://sourceware.org/bugzilla/show_bug.cgi?id=20095
