Computer Security
[EN] securityvulns.ru no-pyccku


GNU libc regcomp buffer overflow / resources exhaustion
updated since 07.01.2011
Published:18.03.2014
Source:
SecurityVulns ID:11342
Type:library
Threat Level:
7/10
Description:Resources exhaustion and buffer overflow on regular expressions like ".*{10,}{10,}{10,}{10,}{10,}"
CVE:CVE-2010-4052 (Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.)
 CVE-2010-4051 (The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow.")
Original documentdocumentsubmit_(at)_cxsec.org, MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of Service (18.03.2014)
 documentMaksymilian Arciemowicz, GNU libc/regcomp(3) Multiple Vulnerabilities (07.01.2011)
Files:proftpd multiple exploit for VU#912279 (only with GNU libc/regcomp(3))

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod