[Bug 3419] regular expression patterns in Host directive

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Dec 5 02:19:24 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3419

--- Comment #4 from Christoph Anton Mitterer <calestyo at scientia.org> ---
(1) yes, though some (I'd say especially PCRE) have become like de
facto standards.

(2) At least all major Linuxes (I've checked Debian, Fedora, Arch,
OpenSUSE, Ubuntu, Alpine, Rocky, CentOS, CentOS Stream and Cygwin) have
their grep depend on libpcre2, so I'd be tempted to says that
effectively it's like a system lib.
But I guess the BSDs don't.

(3) For pcre2 I find 11 CVEs since 2015, which is considerably less
than what e.g. OpenSSH itself has (which is of course not meant as an
insult, but rather to put numbers into perspective). I did however not
check how serious all of these were.

I would however even intuitively guess, that e.g. for grep (which is
used in gazillions of scripts), security issues in pcre would be far
more problematic than for ssh, where we'd probably ever only match
against hostnames and usernames, which could be checked for the few
valid characters before even running pcre on them.


Aynway,... was just an idea which I've thought would make maintaining
complex sshd?_configs much simpler.

Cheers,
Chris :-)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list