eks-distro-build-tooling icon indicating copy to clipboard operation
eks-distro-build-tooling copied to clipboard

Published 20 hours ago verified publisher icon aws

regexp/syntax: limit memory used by parsing regexps [go1.15 backport] - CVE-2022-41715

Open markapruett opened this issue 2 years ago • 1 comments

From Golang security announcement:

The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

markapruett avatar Oct 12 '22 15:10 markapruett

Figured out this issue was with the version of Unicode 12 vs 13 that was being used to calculate rune size. When applying the patch 0023 to fix unicode it originally included information for the api/exempt.txt and api/next.txt. This caused the api tests to fail. What the api/*.txt files are and how they are used in the tests will be required for this fix. The commits used to cherry-pick the patches are in the patch files themselves.

rcrozean avatar Oct 25 '22 22:10 rcrozean

Closing this out as 1.15 is now no longer supported.

markapruett avatar Nov 15 '22 20:11 markapruett

Top level tracking issue: https://github.com/aws/eks-distro-build-tooling/issues/623

markapruett avatar Nov 15 '22 22:11 markapruett