25974 – Document regex security posture in manual

Bug 25974 - Document regex security posture in manual

Summary: Document regex security posture in manual

Status:	UNCONFIRMED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	manual (show other bugs)
Version:	2.27

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-05-11 16:06 UTC by David Mendenhall
Modified:	2020-05-11 16:06 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Mendenhall 2020-05-11 16:06:30 UTC

https://sourceware.org/glibc/wiki/Security%20Exceptions states:

"Implementing regular expressions efficiently, in a standard-conforming way, and without denial-of-service vulnerabilities is very difficult and impossible for Basic Regular Expressions. Most implementation strategies have issues dealing with certain classes of patterns.

Consequently, resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs."

Fair enough, but it would be helpful for this to be explained and documented in the manual somewhere. Users may not be aware of the security implications of regular expressions (like ReDoS attacks).