[pcre-dev] [Bug 2293] New: Dos attack via control regex

Góra strony
Delete this message
Autor: admin
Data:  
Dla: pcre-dev
Temat: [pcre-dev] [Bug 2293] New: Dos attack via control regex
https://bugs.exim.org/show_bug.cgi?id=2293

            Bug ID: 2293
           Summary: Dos attack via control regex
           Product: PCRE
           Version: 10.31 (PCRE2)
          Hardware: x86-64
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: zp1in@???
                CC: pcre-dev@???


Created attachment 1092
--> https://bugs.exim.org/attachment.cgi?id=1092&action=edit
poc

Regex like `(?:(?!BB).)*` would crash the maintain software. Libpcre calls
`match` function recursively while match the regex and finally run out of the
stack memory.

If attackers controlled regex, he can easily make the program terminated. And
attackers can construct illegal data to Dos Attack program witch contains regex
like it.

--
You are receiving this mail because:
You are on the CC list for the bug.