CVE-2021-44686: Regular Expression Denial-of-Service (ReDoS) in calibre

Description

calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Proof of Concept

Vulnerable code: /src/calibre/ebooks/conversion/preprocess.py:383

To see that the regular expression is vulnerable, copy-paste it into a separate file & run the code as shown below.

import re

reg = re.compile(r'<head[^>]*>\n*(.*?)\n*</head>', re.IGNORECASE|re.DOTALL)
reg.match('<head>' + '\n' * 1337)

References

• https://bugs.launchpad.net/calibre/+bug/1951979
• https://github.com/kovidgoyal/calibre/compare/v5.31.1…v5.32.0