Rust heads into the kernel?
Rust heads into the kernel?
Posted Apr 23, 2021 14:13 UTC (Fri) by wtarreau (subscriber, #51152)In reply to: Rust heads into the kernel? by hummassa
Parent article: Rust heads into the kernel?
Yes, they're all listed on cve.mitre.org
Posted Apr 23, 2021 18:15 UTC (Fri)
by hummassa (subscriber, #307)
[Link] (6 responses)
PLEASE PRETTY PLEASE show me ONE example of a CVE caused by a regular expression. Let me make some popcorn while I wait for you to try.
Posted Apr 23, 2021 19:02 UTC (Fri)
by hummassa (subscriber, #307)
[Link] (2 responses)
Posted Apr 23, 2021 19:47 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (1 responses)
Cheers,
Posted Apr 29, 2021 16:58 UTC (Thu)
by ejr (subscriber, #51652)
[Link]
Posted Apr 23, 2021 19:02 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23354
"The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity. "
Posted Apr 23, 2021 19:59 UTC (Fri)
by hummassa (subscriber, #307)
[Link]
Posted Apr 27, 2021 23:28 UTC (Tue)
by ras (subscriber, #33059)
[Link]
DFA's might occasionally take exponential space for their compiled form and you have to incur the expense of compiling the entire thing, but you get to find out about your bug the first time the regex is compiled, not some at some random time later in production.
Rust heads into the kernel?
Rust heads into the kernel?
Rust heads into the kernel?
Wol
Rust heads into the kernel?
Rust heads into the kernel?
Point conceded! Oh man, I've been proven wrong TWICE already on this thread! I must be turning into a Real Boy™!
Rust heads into the kernel?
Rust heads into the kernel?