Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8a0125dd564a421ea358674b196666b5@imshyb02.MITRE.ORG>
Date: Sat, 26 Nov 2016 17:50:48 -0500
From: <cve-assign@...re.org>
To: <gustavo.grieco@...il.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: resource exhaustion in regex expression handling in WebKit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Trying to parse and execute this regex code in WebKit:
> 
> [ about 170 instances of "($" and then "{-2,16}" and then about
>   170 instances of "+)" ]
> 
> will consume large amounts of memory (8GB or more), after a few seconds.
> This seems to be a case of CWE-400 (uncontrolled resource consumption).
> 
> Chrome and Firefox based browsers are *not* affected.

Use CVE-2016-9643.


> asked to MITRE about another issue related with uncontrolled resource
> consumption in Firefox loading a SVG but receive no response.

We have just answered that on its own thread.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYOg/tAAoJEHb/MwWLVhi2jXMP+wXfT6g+wyocbXiiIbflNo9x
Aj8TQ9PP7ZTO2akx4xOdep+Jpulg2K5ACWG/PDqy+oPV3ouJDyT0xzUTYK0MLFWa
oDe460NUGm92UkG9VSkzSe5RYN7tawxzYfoaSulJf4gd6bDUSRPxB+rDEWeX6mCT
q/VKySkcs7wAtZd6N9W/NPg0+Jeo/qgCeU0wf1Uz8c+1WvF7c2ooqyYTq36Z434F
gT4GshSEqGmi3PCKomzSEmaRYeGhREy7J82/b7JHYgmMDnwDJWNqg/MXhzE6VjP4
uRSEAYaKksVsWI+CtxLNeiBSZAyEV2Gd2hSthd/xSAQfJ9lAK+rxJN38cIl0NIL5
4tgyNHGYtOYIjiFKtil0T3DE3IlLlWFJAa2ICkpqDoFjPDBQXxbKcwG4TM5DTMBe
Fqe7WK3SXZNd5imt296L0lBry50v7/xjyIstUR8QoPJBJ0AGHJw8uCRjps0zZK6k
nzbKM0LZdgTmf7zdxjGIEjhLIkGCxXJdGGVQMFb80EHgwM+LfTDD1KTAodB+1oRd
UJeaRv0EqndpAOKlxHhMDGxk7n4Tz34luKaav9abaJ4mo8F1Sho4UgRVZtlik+EQ
Wm3g/BeTqjj2JkBvQwrQNVn5VA75tE+Xp5ZnjnQTPSuqwBNvQjPU+EoeStadSP57
ALKxkr8D5RHlAGNzIVoQ
=eJl5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.