Hi all, Irregex versions before 0.9.6 contain a resource exhaustion vulnerability: when compiling deeply nested regexes containing the "+" operator due to exponential expansion behaviour. All released CHICKEN versions with Irregex are affected by this. The upcoming versions 4.12 (and/or dev snapshot 4.11.2) and 5.0.0 will include a fix.
For example, the following expression will trigger an out of
memory error, using up many Gigabytes(!) of memory:
(irregex
"($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($(${-2,16}+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)")
In CHICKEN, the maximum heap size will prevent this from eating
up all your system's memory (assuming you have more free memory
than the heap limit), so it would manifest as "merely" a denial of
service. The default value of this setting is 2GB, and can be
tuned using the -:hm runtime option.
Currently, no workaround or mitigation is known. A program could
validate an SRE to detect the issue. This can be done relatively
easily by counting the depth of (+ ...) expressions in a user-
supplied SRE and abort if it's larger than a (very) small constant.
A fix has been implemented in the master branch as 2c419f1 and in the
chicken-5 branch as 60118b0. The patches can be found at
http://lists.gnu.org/archive/html/chicken-hackers/2016-12/msg00010.html
Thanks to Alex Shinn for reviewing the fix.
Regards,
The CHICKEN Team
signature.asc
Description: Digital signature
_______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
