Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALx_OUAtt5gbRP+imZfXJwvgfs+Y5hrYqdmLhJHS7SRN5z_VCQ@mail.gmail.com>
Date: Fri, 16 Jun 2017 18:45:12 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: two vulns in uClibc-0.9.33.2

> Does it make sense to assign CVEs to regex compilation? Very few toolkits
> handle this well, and even given how many regex toolkits use backtracking,
> even 'safe' regexes can lead to essentially unbounded execution time.

One use case are "sandbox" languages, such as JavaScript. JS engines
often use third-party regex libraries with attacker-controlled
regexes. They don't particularly about OOM / CPU exhaustion, but RCE
that allows a malicious program to escape containment would be bad
news.

Probably no JS engine using uclibc, though.

/mz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.