[erlang-patches] patch for CVE-2008-2371

Michael Santos michael.santos@REDACTED
Mon Feb 15 16:01:39 CET 2010 

On Fri, Feb 12, 2010 at 08:37:14AM +0100, Kenneth Lundin wrote:
> >
> > Does the Erlang/OTP team have a policy on security advisories, so users
> > and package maintainers can evaluate their risk?
> >
> Thanks for the patch.
> 
> I don't really understand what you mean with "policy on security
> advisories". Please explain more
> I really want to learn if we have missed something important.
>
> This was a bug in the pcre package that we use for the re module in Erlang.
> 
> As Erlang/OTP is a development system the users can build any type of
> system with it.
> And it is the users built system that might be exposed for security
> issues. We cannot make Erlang/OTP
> in a way that guarantee that the system build by the user with
> erlang7OTP does not have security issues
> or can crash on certain input etc.

Thanks for the feedback! Kenji Rikitake summarized the issue pretty
well. It's mainly a convenience for users and projects making packages
for end users. Seems to be a common practice in opensource languages:

Java: http://blogs.sun.com/security/tags/java
Ruby: http://www.ruby-lang.org/en/security/
Python: http://www.python.org/news/security/

Python's page is somewhat anemic and not up to date, so it doesn't look
like this approach is working out for them.

Maybe a note or a tag that could be grep'ed for in the ChangeLog would
help.

> Of course it is a very bad idea to let the external user to a system
> freely create regular expressions
> which are used directly as parameters to the re:compile function. And
> that is true even if there is no bug
> in pcre. A complex regexp can for sure break the system anyway by
> consuming memory or by taking
> very long time to compile or use in searches.

I think people who need to take external input for creating regular
expressions understand that these may result in excessive resource usage
that could hang or crash the node. Erlang has excellent recovery support
for that situation. I don't think people expect the node will crash,
run shellcode and join a botnet :)

More information about the erlang-patches mailing list