Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Jun 2017 18:45:12 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: two vulns in uClibc-0.9.33.2

> Does it make sense to assign CVEs to regex compilation? Very few toolkits
> handle this well, and even given how many regex toolkits use backtracking,
> even 'safe' regexes can lead to essentially unbounded execution time.

One use case are "sandbox" languages, such as JavaScript. JS engines
often use third-party regex libraries with attacker-controlled
regexes. They don't particularly about OOM / CPU exhaustion, but RCE
that allows a malicious program to escape containment would be bad
news.

Probably no JS engine using uclibc, though.

/mz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ