oss-sec mailing list archives
CVE Request: IrRegular Expressions resource exhaustion in regex compilation [was: Re: [oss-security] CVE Request: resource exhaustion in regex expression handling in WebKit]
From: Peter Bex <peter () more-magic net>
Date: Wed, 14 Dec 2016 21:05:45 +0100
On Sat, Nov 26, 2016 at 03:11:44PM -0300, Gustavo Grieco wrote:
Hello, Trying to parse and execute this regex code in WebKit: /($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($(${-2,16}+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)/ will consume large amounts of memory (8GB or more), after a few seconds. This seems to be a case of CWE-400 (uncontrolled resource consumption).
Hello all, Compiling the above regex also causes excessive resource consumption in the portable Irregex (IrRegular Expressions) Scheme package, which can be found at http://synthcode.com/scheme/irregex/. This code is completely unrelated to WebKit's regex implementation, and a cursory inspection seems to indicate that the underlying cause is different. So, it might be worthwhile to inspect other regex engines for issues similar to this! All versions prior to 0.9.6 are affected. The fix is at https://github.com/ashinn/irregex/commit/a16ffc86eca15fca9e40607d41de3cea9cf868f1 This package comes bundled at least with CHICKEN Scheme, Jazz Scheme and Vicare Scheme, and there are "chez-irregex" and "guile-irregex" packages available for GuixSD and perhaps other package managers. Versions of CHICKEN up to and including 4.11.1 are affected. Cheers, Peter Bex
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request: resource exhaustion in regex expression handling in WebKit Gustavo Grieco (Nov 26)
- Re: CVE Request: resource exhaustion in regex expression handling in WebKit cve-assign (Nov 26)
- CVE Request: IrRegular Expressions resource exhaustion in regex compilation [was: Re: [oss-security] CVE Request: resource exhaustion in regex expression handling in WebKit] Peter Bex (Dec 14)