On 9/13/18 6:22 PM, Eduardo A. Bustamante López wrote: > On Wed, Sep 12, 2018 at 09:23:54AM +0200, Tim Rühsen wrote: > (...) >> I stumbled upon the memory consumption (and slowness) a while ago, but >> it seems to be a well-known issue regarding >> https://sourceware.org/glibc/wiki/Security%20Exceptions. >> >> So, never accept regex patterns from untrusted sources. > > The linked document says: > > | Consequently, resource exhaustion issues which can be triggered only with > | crafted patterns (either during compilation or execution) are not treated as > | security bugs. **(This does not mean we do not intend to fix such issues as > | regular bugs if possible.)** > > So I think it's worth reporting. > > If the `regex' implementation of gnulib is the same as glibc, then I think > this > report is related: https://sourceware.org/bugzilla/show_bug.cgi?id=20095
Of course it is worth reporting if it hasn't already been reported. A while ago I fuzzed the command line options of wget/wget2 and since there are two that take regex patterns, I quickly ran into the OOM/abort situation, as well as experiencing extrem slowness. And that even for short regex patterns that didn't look too weird. I don't have the links at hand, but I remember several similar issues been reported at sourceware.org/bugzilla. At least one of it had a comment linking to the 'Security Exceptions' page, also saying that is expected behavior, wontfix etc. I took that as 'official' statement to that group of regex issues. Since then I exclude regcomp()/regexec() from fuzzing :-( Apart from that, I consider Assaf's other findings to be real bugs that needs to be reported/fixed. Regards, Tim
signature.asc
Description: OpenPGP digital signature
