calibre contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
calibre |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
# Summary
calibre contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
# Description
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
# Proof of Concept
Vulnerable code: https:/
To see that the regular expression is vulnerable, copy-paste it into a separate file & run the code as shown below.
```python
import re
reg = re.compile(
reg.match('<head>' + '\n' * 1337)
```
# Impact
This issue may lead to a denial of service.
# References
- https:/
CVE References
description: | updated |
information type: | Private Security → Public Security |
Fixed in branch master. The fix will be in the next release. calibre is usually released every alternate Friday.
status fixreleased