Vigil@nce - GNU libc: denial of service via regcomp
December 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When an attacker can transmit a special regular expression to an
application using the regcomp() function, he can stop the
application.
Severity: 1/4
Creation date: 08/12/2010
DESCRIPTION OF THE VULNERABILITY
The GNU libc regcomp() function generates a data structure
representing a regular expression.
The ".*10,10,etc." regular expression means "all characters,
as many times as required, and at least 10 times, and then at
least 10 times, etc.".
When regcomp() generates the data structure representing this
regular expression, the re_compile_fastmap() function is called
recursively. This recursive call is almost infinite, so the stack
gets filled, and then a segmentation error occurs.
When an attacker can transmit a special regular expression to an
application using the regcomp() function, he can therefore stop
the application.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/GNU-libc-denial-of-service-via-regcomp-10183