calibre contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| calibre |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
# Summary
calibre contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
# Description
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
# Proof of Concept
Vulnerable code: https:/
To see that the regular expression is vulnerable, copy-paste it into a separate file & run the code as shown below.
```python
import re
reg = re.compile(
reg.match('<head>' + '\n' * 1337)
```
# Impact
This issue may lead to a denial of service.
# References
- https:/
CVE References
| Kovid Goyal (kovid) wrote Fixed in master | #1 |
| Changed in calibre: | |
| status: | New → Fix Released |
| Dwi Siswanto (dw1s) wrote | #2 |
| information type: | Private Security → Private |
| information type: | Private → Private Security |
| description: | updated |
| information type: | Private Security → Public Security |
Fixed in branch master. The fix will be in the next release. calibre is usually released every alternate Friday.
status fixreleased