Differences between revisions 2 and 3
Revision 2 as of 2014-06-30 11:52:41
Size: 1770
Comment: aio and cancellation
Revision 3 as of 2014-08-07 08:04:25
Size: 1789
Comment: Wording cleanup
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
Consequently, resource exhaustion which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs. (This does not mean we do not intend to fix such issues as regular bugs.) Consequently, resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs. (This does not mean we do not intend to fix such issues as regular bugs if possible.)

This document describes subsystems which need special consideration during security bug classification. For the overall process, see Security Process.

Regular expression processing

Regular expression processing comes in two parts, compilation (through regcomp) and execution (through regexec).

Implementing regular expressions efficiently, in a standard-conforming way, and without denial-of-service vulnerabilities is very difficult and impossible for Basic Regular Expressions. Most implementation strategies have issues dealing with certain classes of patterns.

Consequently, resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs. (This does not mean we do not intend to fix such issues as regular bugs if possible.)

However, during execution, crashes, infinite loops, buffer overflows and reading past buffers (read-only buffer overruns), memory leaks and other, similar bugs should be treated as security vulnerabilities, assuming that the pattern is trusted and reasonably structured.

Asynchronous I/O

The GNU C Library tries to implement asynchronous I/O without kernel support, which means that several operations are not fully standard conforming. Several known races can cause crashes and resource leaks. Such bugs are only treated as security bugs if applications (as opposed to synthetic test cases) have security exposures due to these bugs.

Asynchronous cancellation

The implementation of asynchronous cancellation is not fully standard-conforming and has races and leaks. Again, such bugs are only treated as security bugs if applications (as opposed to synthetic test cases) have security exposures due to these bugs.

None: Security Exceptions (last edited 2014-08-07 08:04:25 by FlorianWeimer)