Source: rust-regex Version: 1.5.4-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for rust-regex. CVE-2022-24713[0]: | regex is an implementation of regular expressions for the Rust | language. The regex crate features built-in mitigations to prevent | denial of service attacks caused by untrusted regexes, or untrusted | input matched by trusted regexes. Those (tunable) mitigations already | provide sane defaults to prevent attacks. This guarantee is documented | and it's considered part of the crate's API. Unfortunately a bug was | discovered in the mitigations designed to prevent untrusted regexes to | take an arbitrary amount of time during parsing, and it's possible to | craft regexes that bypass such mitigations. This makes it possible to | perform denial of service attacks by sending specially crafted regexes | to services accepting user-controlled, untrusted regexes. All versions | of the regex crate before or equal to 1.5.4 are affected by this | issue. The fix is include starting from regex 1.5.5. All users | accepting user-controlled regexes are recommended to upgrade | immediately to the latest version of the regex crate. Unfortunately | there is no fixed set of problematic regexes, as there are practically | infinite regexes that could be crafted to exploit this vulnerability. | Because of this, it us not recommend to deny known problematic | regexes. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24713 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713 [1] https://rustsec.org/advisories/RUSTSEC-2022-0013.html [2] https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8 [3] https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e [4] https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw Please adjust the affected versions in the BTS as needed. Regards, Salvatore
