[Pkg-rust-maintainers] Bug#1007176: rust-regex: CVE-2022-24713: RUSTSEC-2022-0013: Regexes with large repetitions on empty sub-expressions take a very long time to parse

Salvatore Bonaccorso carnil at debian.org
Sat Mar 12 19:49:37 GMT 2022 

Source: rust-regex
Version: 1.5.4-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for rust-regex.

CVE-2022-24713[0]:
| regex is an implementation of regular expressions for the Rust
| language. The regex crate features built-in mitigations to prevent
| denial of service attacks caused by untrusted regexes, or untrusted
| input matched by trusted regexes. Those (tunable) mitigations already
| provide sane defaults to prevent attacks. This guarantee is documented
| and it's considered part of the crate's API. Unfortunately a bug was
| discovered in the mitigations designed to prevent untrusted regexes to
| take an arbitrary amount of time during parsing, and it's possible to
| craft regexes that bypass such mitigations. This makes it possible to
| perform denial of service attacks by sending specially crafted regexes
| to services accepting user-controlled, untrusted regexes. All versions
| of the regex crate before or equal to 1.5.4 are affected by this
| issue. The fix is include starting from regex 1.5.5. All users
| accepting user-controlled regexes are recommended to upgrade
| immediately to the latest version of the regex crate. Unfortunately
| there is no fixed set of problematic regexes, as there are practically
| infinite regexes that could be crafted to exploit this vulnerability.
| Because of this, it us not recommend to deny known problematic
| regexes.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24713
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
[1] https://rustsec.org/advisories/RUSTSEC-2022-0013.html
[2] https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
[3] https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
[4] https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-rust-maintainers mailing list