Bug#441355: regcomp DoS'able in utf-8 locales
reassign 441355 grep
Rich Felker a écrit :
> Package: libc6
> Version: 2.6.1-2
> Severity: important
> glibc's regular expression engine crashes with sig11 whenever trying
> to compile a regular expression with non-ASCII range expressions if
> LC_CTYPE is a UTF-8 locale but LC_COLLATE is set to C or POSIX. This
> is a common setup among users who want traditional codepoint-order
> sorting but need UTF-8 encoding.
> $ LANG=en_US.UTF-8 LC_COLLATE=C grep '[Á-ä]'
> Segmentation fault
This is a problem with grep which calls re_compile_pattern incorrectly:
/* re_compile_pattern is the GNU regular expression compiler: it
compiles PATTERN (of length LENGTH) and puts the result in BUFP.
Returns 0 if the pattern was valid, otherwise an error string.
Assumes the `allocated' (and perhaps `buffer') and `translate' fields
are set in BUFP on entry. */
In case of grep, allocate is not set correctly, and translate does not
point to a regex_t entry.
> The bug can cause crashes in any program using the system regex
> routines and could in principle be used for DoS attacks if a
> less-privileged user is able to provide regular expressions to a
> more-privileged process.
Do you have an example of such claim? I have been unable to reproduce
the problem when the regex routines are called correctly.
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' email@example.com | firstname.lastname@example.org
`- people.debian.org/~aurel32 | www.aurel32.net