On 3/30/22 7:48 PM, Steffen Nurpmeso wrote:
Chet Ramey wrote in
<[email protected]>:
|On 3/30/22 11:16 AM, willi1337 bald wrote:
|> Bash Version: 5.1
|> Patch Level: 16
|> Release Status: release
|>
|> Description:
|>
|> A deeply nested and incorrect regex expression can cause exhaustion of
|> stack resources, which crashes the bash process.
|
|Bash doesn't use it's own regexp engine; it uses whatever POSIX regexp
|functions are provided by the C library (regcomp/regexec/regfree/regerror).
Once there was that ???FTP CVE regarding recursion, what they did
was simply counting *'s in the expression string, and restricting
it to three occasions per expression.
That seems arbitrary and limiting. I'd rather see any `fix' for this kind
of incorrect regexp come in the library functions themselves.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU [email protected] http://tiswww.cwru.edu/~chet/
