Hi all, Irregex versions before 0.9.6 contain a resource exhaustion vulnerability: when compiling deeply nested regexes containing the "+" operator due to exponential expansion behaviour. All released CHICKEN versions with Irregex are affected by this. The upcoming versions 4.12 (and/or dev snapshot 4.11.2) and 5.0.0 will include a fix.
For example, the following expression will trigger an out of memory error, using up many Gigabytes(!) of memory: (irregex "($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($(${-2,16}+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)") In CHICKEN, the maximum heap size will prevent this from eating up all your system's memory (assuming you have more free memory than the heap limit), so it would manifest as "merely" a denial of service. The default value of this setting is 2GB, and can be tuned using the -:hm runtime option. Currently, no workaround or mitigation is known. A program could validate an SRE to detect the issue. This can be done relatively easily by counting the depth of (+ ...) expressions in a user- supplied SRE and abort if it's larger than a (very) small constant. A fix has been implemented in the master branch as 2c419f1 and in the chicken-5 branch as 60118b0. The patches can be found at http://lists.gnu.org/archive/html/chicken-hackers/2016-12/msg00010.html Thanks to Alex Shinn for reviewing the fix. Regards, The CHICKEN Team
signature.asc
Description: Digital signature
_______________________________________________ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users