Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-15225 #8519

Closed
asraa opened this issue Oct 7, 2019 · 1 comment
Closed

CVE-2019-15225 #8519

asraa opened this issue Oct 7, 2019 · 1 comment
Assignees
@asraa
Labels
area/security bug cve Security CVE issues stale stalebot believes this issue/PR has not been touched recently

Comments

@asraa
Copy link
Contributor

asraa commented Oct 7, 2019
edited by htuch
Loading

See GHSA-qj45-j25r-p2rq
@asraa asraa changed the title TBA for Security Release CVE-2019-15225 Oct 8, 2019
@alyssawilk alyssawilk added the bug label Oct 9, 2019
@alyssawilk alyssawilk added cve Security CVE issues area/security labels Oct 9, 2019
@EItanya EItanya mentioned this issue Oct 9, 2019
Closed
@asraa asraa mentioned this issue Oct 17, 2019
Merged
htuch pushed a commit that referenced this issue Oct 18, 2019
@asraa @htuch
fuzz: fix adding headers in fuzz tests (#8653)
8481215 
Fixes a logic error in adding headers from a RouteTestCase input to a HeaderMap in route_fuzz_test. Headers were ignored unless they were in the ignore_headers list.

This is at least one reason this fuzzer never produced a regex matching crash. With this fixed, a testcase was added that confirms the regex matching crash from CVE-2019-15225 (#8519).

Testing: A corpus with a wildcard Regex matcher and a very long URI that produces a crash in the fuzzer. To remove this known crash in the fuzzer, Routes configured with a regex match are explicitly removed.

Signed-off-by: Asra Ali <[email protected]>
@asraa asraa mentioned this issue Nov 4, 2019
Closed
@stale
Copy link

stale bot commented Nov 8, 2019

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label Nov 8, 2019
@htuch htuch closed this as completed Nov 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asraa asraa

Labels
area/security bug cve Security CVE issues stale stalebot believes this issue/PR has not been touched recently
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@asraa @htuch @alyssawilk