[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Issues] Fwd: regcomp(3) Multiple Vulnerabilities

On Fri, 17 Feb 2012, Vladimir Levijev wrote:

> Hi,
> Isn't there anyone to comment on the issue? Or is this list dead?

Unless you have reason to believe an issue to be specific to EGLIBC, it's 
generally advisable to discuss it upstream in the FSF GLIBC context.  We 
try to keep down the level of differences between FSF GLIBC and EGLIBC, 
and as FSF GLIBC moves to more cooperative, civil community development I 
hope the level of differences can be reduced much further.

I don't think this issue is generally considered a bug by other GLIBC 
distributors (EGLIBC being one of the various GLIBC distributors).  See 
<https://bugzilla.redhat.com/show_bug.cgi?id=645859> for example.  If 
using regular expressions from untrusted sources, it would be appropriate 
to run them in a resource-limited subprocess.  (If it is possible to 
trigger arbitrary code execution / buffer overruns with this problem, 
rather than reliably crashing the process through exhausting the stack 
limit, I think that would be a bug - but again, best considered in the FSF 
GLIBC context.)

Joseph S. Myers
Issues mailing list