[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Issues] Fwd: regcomp(3) Multiple Vulnerabilities

To: Vladimir Levijev <vladimir.levijev@xxxxxxxxx>
Subject: Re: [Issues] Fwd: regcomp(3) Multiple Vulnerabilities
From: "Joseph S. Myers" <joseph@xxxxxxxxxxxxxxxx>
Date: Fri, 17 Feb 2012 13:16:46 +0000 (UTC)

On Fri, 17 Feb 2012, Vladimir Levijev wrote:

> Hi,
> 
> Isn't there anyone to comment on the issue? Or is this list dead?

Unless you have reason to believe an issue to be specific to EGLIBC, it's 
generally advisable to discuss it upstream in the FSF GLIBC context.  We 
try to keep down the level of differences between FSF GLIBC and EGLIBC, 
and as FSF GLIBC moves to more cooperative, civil community development I 
hope the level of differences can be reduced much further.

I don't think this issue is generally considered a bug by other GLIBC 
distributors (EGLIBC being one of the various GLIBC distributors).  See 
<https://bugzilla.redhat.com/show_bug.cgi?id=645859> for example.  If 
using regular expressions from untrusted sources, it would be appropriate 
to run them in a resource-limited subprocess.  (If it is possible to 
trigger arbitrary code execution / buffer overruns with this problem, 
rather than reliably crashing the process through exhausting the stack 
limit, I think that would be a bug - but again, best considered in the FSF 
GLIBC context.)

-- 
Joseph S. Myers
joseph@xxxxxxxxxxxxxxxx
_______________________________________________
Issues mailing list
Issues@xxxxxxxxxx
http://eglibc.org/cgi-bin/mailman/listinfo/issues

References:
- [Issues] regcomp(3) Multiple Vulnerabilities
  - From: Vladimir Levijev
- [Issues] Fwd: regcomp(3) Multiple Vulnerabilities
  - From: Vladimir Levijev

Prev by Date: [Issues] Fwd: regcomp(3) Multiple Vulnerabilities
Next by Date: [Issues] /var/db/Makefile file
Previous by thread: [Issues] Fwd: regcomp(3) Multiple Vulnerabilities
Next by thread: [Issues] /var/db/Makefile file
Index(es):
- Date
- Thread