oss-sec mailing list archives

CVE Request: IrRegular Expressions resource exhaustion in regex compilation [was: Re: [oss-security] CVE Request: resource exhaustion in regex expression handling in WebKit]

From: Peter Bex <peter () more-magic net>
Date: Wed, 14 Dec 2016 21:05:45 +0100

On Sat, Nov 26, 2016 at 03:11:44PM -0300, Gustavo Grieco wrote:

Hello,

Trying to parse and execute this regex code in WebKit:

/($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($(${-2,16}+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)/

will consume large amounts of memory (8GB or more), after a few seconds.
This seems to be a case of CWE-400 (uncontrolled resource consumption).


Hello all,

Compiling the above regex also causes excessive resource consumption in
the portable Irregex (IrRegular Expressions) Scheme package, which can be
found at http://synthcode.com/scheme/irregex/.

This code is completely unrelated to WebKit's regex implementation, and
a cursory inspection seems to indicate that the underlying cause is
different.  So, it might be worthwhile to inspect other regex engines for
issues similar to this!

All versions prior to 0.9.6 are affected.  The fix is at
https://github.com/ashinn/irregex/commit/a16ffc86eca15fca9e40607d41de3cea9cf868f1

This package comes bundled at least with CHICKEN Scheme, Jazz Scheme and
Vicare Scheme, and there are "chez-irregex" and "guile-irregex" packages
available for GuixSD and perhaps other package managers.

Versions of CHICKEN up to and including 4.11.1 are affected.

Cheers,
Peter Bex

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE Request: resource exhaustion in regex expression handling in WebKit Gustavo Grieco (Nov 26)
- Re: CVE Request: resource exhaustion in regex expression handling in WebKit cve-assign (Nov 26)
- CVE Request: IrRegular Expressions resource exhaustion in regex compilation [was: Re: [oss-security] CVE Request: resource exhaustion in regex expression handling in WebKit] Peter Bex (Dec 14)
  - Re: CVE Request: IrRegular Expressions resource exhaustion in regex compilation [was: Re: [oss-security] CVE Request: resource exhaustion in regex expression handling in WebKit] cve-assign (Dec 15)