Your message dated Wed, 16 Mar 2022 10:29:58 +0000
with message-id <e1nuquk-0002ii...@fasolo.debian.org>
and subject line Bug#1007176: fixed in rust-regex 1.5.5-1
has caused the Debian Bug report #1007176,
regarding rust-regex: CVE-2022-24713: RUSTSEC-2022-0013: Regexes with large
repetitions on empty sub-expressions take a very long time to parse
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1007176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007176
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rust-regex
Version: 1.5.4-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for rust-regex.
CVE-2022-24713[0]:
| regex is an implementation of regular expressions for the Rust
| language. The regex crate features built-in mitigations to prevent
| denial of service attacks caused by untrusted regexes, or untrusted
| input matched by trusted regexes. Those (tunable) mitigations already
| provide sane defaults to prevent attacks. This guarantee is documented
| and it's considered part of the crate's API. Unfortunately a bug was
| discovered in the mitigations designed to prevent untrusted regexes to
| take an arbitrary amount of time during parsing, and it's possible to
| craft regexes that bypass such mitigations. This makes it possible to
| perform denial of service attacks by sending specially crafted regexes
| to services accepting user-controlled, untrusted regexes. All versions
| of the regex crate before or equal to 1.5.4 are affected by this
| issue. The fix is include starting from regex 1.5.5. All users
| accepting user-controlled regexes are recommended to upgrade
| immediately to the latest version of the regex crate. Unfortunately
| there is no fixed set of problematic regexes, as there are practically
| infinite regexes that could be crafted to exploit this vulnerability.
| Because of this, it us not recommend to deny known problematic
| regexes.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
[1] https://rustsec.org/advisories/RUSTSEC-2022-0013.html
[2] https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
[3]
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
[4] https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-regex
Source-Version: 1.5.5-1
Done: Sylvestre Ledru <sylves...@debian.org>
We believe that the bug you reported is fixed in the latest version of
rust-regex, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1007...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sylvestre Ledru <sylves...@debian.org> (supplier of updated rust-regex package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 16 Mar 2022 10:33:32 +0100
Source: rust-regex
Architecture: source
Version: 1.5.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<pkg-rust-maintain...@alioth-lists.debian.net>
Changed-By: Sylvestre Ledru <sylves...@debian.org>
Closes: 1007176
Changes:
rust-regex (1.5.5-1) unstable; urgency=medium
.
* Package regex 1.5.5 from crates.io using debcargo 2.5.0
* Fixes a security issue - CVE-2022-24713 (Closes: #1007176)
Checksums-Sha1:
e5702df21637c027dcc00b22839142f037e5c4c8 4285 rust-regex_1.5.5-1.dsc
8f00e743a9c780cc942c12f4e7f99d3163a2c5dd 238119 rust-regex_1.5.5.orig.tar.gz
3d37736e4ab1577510d51e17cf473e03d6a26900 4792 rust-regex_1.5.5-1.debian.tar.xz
2679f2d8d9d691f4d7e53c43d36f081a9a96c077 9686
rust-regex_1.5.5-1_source.buildinfo
Checksums-Sha256:
6503bf46b53f9d9ba6086d1725abfd08bff54e0d622b1103e2d564a58c49dca6 4285
rust-regex_1.5.5-1.dsc
1a11647b6b25ff05a515cb92c365cec08801e83423a235b51e231e1808747286 238119
rust-regex_1.5.5.orig.tar.gz
2d2a51e335abc59a5562e95f7e46c77c691e8e86067358621a7453d229ea7bb8 4792
rust-regex_1.5.5-1.debian.tar.xz
cc49c68b50a3c74e330b2bbd619d98ede1ec01e6e71b5e2677fb2247cec6ff78 9686
rust-regex_1.5.5-1_source.buildinfo
Files:
afc6681948a84c93e62729d2218b37b4 4285 rust optional rust-regex_1.5.5-1.dsc
6b5c7401117316735435311bf551515b 238119 rust optional
rust-regex_1.5.5.orig.tar.gz
1c406eb5ce068616667b32801f5238dc 4792 rust optional
rust-regex_1.5.5-1.debian.tar.xz
bdf86608ab3574f61b0741b1b6cb8614 9686 rust optional
rust-regex_1.5.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAmIxrvEACgkQfmUo2nUv
G+H8Hw/+JuTx5bcAMg0NCzVm4asOpESRsgo12wSMUROg5PiBNPpq3jRhiOQKoarM
8Ap1fwgHDkOgPMfNvZWlMX96Arfcms8A3twveo8d494I0JsNwn3F4Q3XsfATrGNf
eVW4NveJusUva48oeglr1ly69ShLShxjLnPLMUfhTieFVBXRRHzsXPdBlpXV2fxZ
RGqeyvCHwN7XHaBAZU952mSXpXNozl1nlVYwDSbTR+/piMOkdHPFgmsRChMLz5eg
POCWSn1Eg7PWIDZ/YNVNGXkpKhMoJ2b94uOmQ+XIIosihT4wCxhBx4xxj7Y/FM4N
mMypuODBFMBcyRR70XK7P8qgQWXRrg+B12JUx+HqLjmsiVotlmYk44epzMDt6WAd
yH/PI0etbQQ9Vxs3gmBqtcd6msLr1cNv9oiPONJVKzRwmOO7BhsixhYSNIOc+Ri0
0LJ2aQk+OqhN2D0Dkzl7yHJQkw26OqPlZ2LXzBpNaA+h9LPuVovK4A7cDYfI3B0t
jn4ReFbcjqqURirfJYevnir1zQfO/Lujlo4N3K2132PhQCug+q9EzCmcWUETgFl/
csyepEx2B+P8AC07SbT4wg7khTiPwCJam8HozSfybpYiNLDOyeBmkF/ZD5fQCAkb
nvo5eCHXwokEm2jG+KacqN9OLW73yWDG2NGuWvTE3HjkzUjeSTY=
=vtkW
-----END PGP SIGNATURE-----
--- End Message ---
