Debian Bug report logs -
#1007176
rust-regex: CVE-2022-24713: RUSTSEC-2022-0013: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>:
Bug#1007176; Package src:rust-regex.
(Sat, 12 Mar 2022 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>.
(Sat, 12 Mar 2022 19:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rust-regex
Version: 1.5.4-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for rust-regex.
CVE-2022-24713[0]:
| regex is an implementation of regular expressions for the Rust
| language. The regex crate features built-in mitigations to prevent
| denial of service attacks caused by untrusted regexes, or untrusted
| input matched by trusted regexes. Those (tunable) mitigations already
| provide sane defaults to prevent attacks. This guarantee is documented
| and it's considered part of the crate's API. Unfortunately a bug was
| discovered in the mitigations designed to prevent untrusted regexes to
| take an arbitrary amount of time during parsing, and it's possible to
| craft regexes that bypass such mitigations. This makes it possible to
| perform denial of service attacks by sending specially crafted regexes
| to services accepting user-controlled, untrusted regexes. All versions
| of the regex crate before or equal to 1.5.4 are affected by this
| issue. The fix is include starting from regex 1.5.5. All users
| accepting user-controlled regexes are recommended to upgrade
| immediately to the latest version of the regex crate. Unfortunately
| there is no fixed set of problematic regexes, as there are practically
| infinite regexes that could be crafted to exploit this vulnerability.
| Because of this, it us not recommend to deny known problematic
| regexes.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
[1] https://rustsec.org/advisories/RUSTSEC-2022-0013.html
[2] https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
[3] https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
[4] https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Mar 13 13:09:46 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon