data/reports/GO-2022-1039.yaml - vulndb - Git at Google

 id: GO-2022-1039
 modules:
     - module: std
       versions:
         - fixed: 1.18.7
         - introduced: 1.19.0-0
           fixed: 1.19.2
       vulnerable_at: 1.19.1
       packages:
         - package: regexp/syntax
           symbols:
             - parser.push
             - parser.repeat
             - parser.factor
             - parse
           derived_symbols:
             - Parse
 summary: Memory exhaustion when compiling regular expressions in regexp/syntax
 description: |-
     Programs which compile regular expressions from untrusted sources may be
     vulnerable to memory exhaustion or denial of service.

     The parsed regexp representation is linear in the size of the input, but in some
     cases the constant factor can be as high as 40,000, making relatively small
     regexps consume much larger amounts of memory.

     After fix, each regexp being parsed is limited to a 256 MB memory footprint.
     Regular expressions whose representation would use more space than that are
     rejected. Normal use of regular expressions is unaffected.
 credits:
     - Adam Korczynski (ADA Logics)
     - OSS-Fuzz
 references:
     - report: https://go.dev/issue/55949
     - fix: https://go.dev/cl/439356
     - web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
 cve_metadata:
     id: CVE-2022-41715
     cwe: 'CWE 400: Uncontrolled Resource Consumption'
     references:
         - https://security.gentoo.org/glsa/202311-09
	id: GO-2022-1039
	modules:
	- module: std
	versions:
	- fixed: 1.18.7
	- introduced: 1.19.0-0
	fixed: 1.19.2
	vulnerable_at: 1.19.1
	packages:
	- package: regexp/syntax
	symbols:
	- parser.push
	- parser.repeat
	- parser.factor
	- parse
	derived_symbols:
	- Parse
	summary: Memory exhaustion when compiling regular expressions in regexp/syntax
	description: \|-
	Programs which compile regular expressions from untrusted sources may be
	vulnerable to memory exhaustion or denial of service.

	The parsed regexp representation is linear in the size of the input, but in some
	cases the constant factor can be as high as 40,000, making relatively small
	regexps consume much larger amounts of memory.

	After fix, each regexp being parsed is limited to a 256 MB memory footprint.
	Regular expressions whose representation would use more space than that are
	rejected. Normal use of regular expressions is unaffected.
	credits:
	- Adam Korczynski (ADA Logics)
	- OSS-Fuzz
	references:
	- report: https://go.dev/issue/55949
	- fix: https://go.dev/cl/439356
	- web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
	cve_metadata:
	id: CVE-2022-41715
	cwe: 'CWE 400: Uncontrolled Resource Consumption'
	references:
	- https://security.gentoo.org/glsa/202311-09