[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Issues] Fwd: regcomp(3) Multiple Vulnerabilities
- To: Vladimir Levijev <vladimir.levijev@xxxxxxxxx>
- Subject: Re: [Issues] Fwd: regcomp(3) Multiple Vulnerabilities
- From: "Joseph S. Myers" <joseph@xxxxxxxxxxxxxxxx>
- Date: Fri, 17 Feb 2012 13:16:46 +0000 (UTC)
On Fri, 17 Feb 2012, Vladimir Levijev wrote:
> Hi,
>
> Isn't there anyone to comment on the issue? Or is this list dead?
Unless you have reason to believe an issue to be specific to EGLIBC, it's
generally advisable to discuss it upstream in the FSF GLIBC context. We
try to keep down the level of differences between FSF GLIBC and EGLIBC,
and as FSF GLIBC moves to more cooperative, civil community development I
hope the level of differences can be reduced much further.
I don't think this issue is generally considered a bug by other GLIBC
distributors (EGLIBC being one of the various GLIBC distributors). See
<https://bugzilla.redhat.com/show_bug.cgi?id=645859> for example. If
using regular expressions from untrusted sources, it would be appropriate
to run them in a resource-limited subprocess. (If it is possible to
trigger arbitrary code execution / buffer overruns with this problem,
rather than reliably crashing the process through exhausting the stack
limit, I think that would be a bug - but again, best considered in the FSF
GLIBC context.)
--
Joseph S. Myers
joseph@xxxxxxxxxxxxxxxx
_______________________________________________
Issues mailing list
Issues@xxxxxxxxxx
http://eglibc.org/cgi-bin/mailman/listinfo/issues