This is the mail archive of the
glibc-bugs-regex@sourceware.org
mailing list for the glibc project.
[Bug regex/12896] regexec() stack overflow denial of service
- From: "bonzini at gnu dot org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs-regex at sources dot redhat dot com
- Date: Sat, 18 Jun 2011 13:20:16 +0000
- Subject: [Bug regex/12896] regexec() stack overflow denial of service
- Auto-submitted: auto-generated
- References: <bug-12896-132@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=12896
Paolo Bonzini <bonzini at gnu dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |bonzini at gnu dot org
Resolution| |INVALID
--- Comment #1 from Paolo Bonzini <bonzini at gnu dot org> 2011-06-18 13:20:13 UTC ---
This is not really a vulnerability in glibc; in various forms, it is common to
pretty much any regular expression engine.
In general, applications should not pass to regcomp regular expressions coming
from untrusted sources. The glibc implementations ensures that "good" regular
expressions, in particular not including very high repetition counts or
backreferences, do not cause anomalous stack usage in either regcomp or
regexec. This is usually a sufficient guarantee.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.