| 2022-06-05 22:29:07 |
Joshua Peisach |
bug |
|
|
added bug |
| 2022-06-05 22:32:16 |
Joshua Peisach |
cve linked |
|
2022-24713 |
|
| 2022-06-05 22:32:43 |
Joshua Peisach |
attachment added |
|
Proposed Jammy Patch https://bugs.launchpad.net/ubuntu/+source/rust-regex/+bug/1977694/+attachment/5594991/+files/rust-regex_1.5.4-1ubuntu0.1.debdiff |
|
| 2022-06-05 22:34:20 |
Joshua Peisach |
information type |
Private Security |
Public Security |
|
| 2022-06-05 22:43:05 |
Joshua Peisach |
description |
There is a denial of service in rust-regex. Below is an SRU template to prepare for patching CVE-2022-24713.
https://ubuntu.com/security/CVE-2022-24713
https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: librust-regex-dev 1.5.4-1
ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30
Uname: Linux 5.15.0-30-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckMismatches: ./casper/filesystem.manifest-remove
CasperMD5CheckResult: fail
CurrentDesktop: Unity:Unity7:ubuntu
Date: Sun Jun 5 18:26:32 2022
InstallationDate: Installed on 2022-04-22 (44 days ago)
InstallationMedia: Ubuntu Unity 22.04
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: rust-regex
UpgradeStatus: No upgrade log present (probably fresh install) |
There is a denial of service in rust-regex. Below is an SRU template to prepare for patching CVE-2022-24713.
[Impact]
* The rust compile can compile a regex an empty sub-expression as many times as wanted.
* Take '(?:){294967295}' - this would make the regex compiler compile 294967295 times.
* This results in a denial of service; there wouldnt be a crash but the compiler would take forever and eventually get there.
* An attacker could use this amount of time it takes for the compiler to parse this regex to perform DoS attacks
[Test Plan]
* Take a regex from the regex crate that is still vulnerable - get pre 1.5.5.
* Use one of the test cases provided in the fix commit https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e or use this POC i made: https://github.com/ItzSwirlz/CVE-2022-24713-POC
* Building using the old regex would take forever, but the fix would take a shorter time.
[Where problems could occur]
* An integer overflow might still be able to cause a regex overload
* Changes to the rust libraries/packages and other SRUs may create regressions with updates that may outdate the library
* This fix adds a fake amount of memory any time a regex empty sub-expression is compiiled, and then adds to the Inst in the existing indirect heap usage.
* This means maybe an attacker could overload the amount of Regex's and make compiling impossible? Memory may be lost in very specific situations, or a heap buffer issue can occur
[Other Info]
* Impacts Focal, Impish, Jammy
* Links:
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html
https://ubuntu.com/security/CVE-2022-24713
https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: librust-regex-dev 1.5.4-1
ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30
Uname: Linux 5.15.0-30-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckMismatches: ./casper/filesystem.manifest-remove
CasperMD5CheckResult: fail
CurrentDesktop: Unity:Unity7:ubuntu
Date: Sun Jun 5 18:26:32 2022
InstallationDate: Installed on 2022-04-22 (44 days ago)
InstallationMedia: Ubuntu Unity 22.04
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: rust-regex
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2022-06-05 22:43:07 |
Joshua Peisach |
rust-regex (Ubuntu): assignee |
|
Joshua Peisach (itzswirlz) |
|
| 2022-06-06 00:25:25 |
Ubuntu Foundations Team Bug Bot |
tags |
amd64 apport-bug jammy jammy-security |
amd64 apport-bug jammy jammy-security patch |
|
| 2022-06-06 00:25:33 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2022-06-10 16:39:38 |
Joshua Peisach |
rust-regex (Ubuntu): status |
New |
In Progress |
|
| 2022-06-11 19:43:29 |
Simon Quigley |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-06-11 19:43:29 |
Simon Quigley |
bug task added |
|
rust-regex (Ubuntu Jammy) |
|
| 2022-06-11 19:43:29 |
Simon Quigley |
nominated for series |
|
Ubuntu Kinetic |
|
| 2022-06-11 19:43:29 |
Simon Quigley |
bug task added |
|
rust-regex (Ubuntu Kinetic) |
|
| 2022-06-11 19:43:43 |
Simon Quigley |
rust-regex (Ubuntu Jammy): assignee |
|
Joshua Peisach (itzswirlz) |
|
| 2022-06-11 19:43:50 |
Simon Quigley |
rust-regex (Ubuntu Jammy): status |
New |
In Progress |
|
| 2022-06-14 16:38:30 |
Joshua Peisach |
rust-regex (Ubuntu Kinetic): status |
In Progress |
Fix Released |
|
| 2022-06-16 15:09:52 |
Eduardo Barretto |
nominated for series |
|
Ubuntu Impish |
|
| 2022-06-16 15:09:52 |
Eduardo Barretto |
bug task added |
|
rust-regex (Ubuntu Impish) |
|
| 2022-06-16 15:09:52 |
Eduardo Barretto |
nominated for series |
|
Ubuntu Focal |
|
| 2022-06-16 15:09:52 |
Eduardo Barretto |
bug task added |
|
rust-regex (Ubuntu Focal) |
|
| 2022-06-16 15:09:58 |
Eduardo Barretto |
rust-regex (Ubuntu Focal): status |
New |
In Progress |
|
| 2022-06-16 15:10:01 |
Eduardo Barretto |
rust-regex (Ubuntu Impish): status |
New |
In Progress |
|
| 2022-06-16 15:10:17 |
Eduardo Barretto |
rust-regex (Ubuntu Focal): assignee |
|
David Fernandez Gonzalez (litios) |
|
| 2022-06-16 15:10:34 |
Eduardo Barretto |
rust-regex (Ubuntu Impish): assignee |
|
David Fernandez Gonzalez (litios) |
|
| 2022-06-16 15:10:47 |
Eduardo Barretto |
rust-regex (Ubuntu Jammy): assignee |
Joshua Peisach (itzswirlz) |
David Fernandez Gonzalez (litios) |
|
| 2022-06-26 08:58:28 |
Mathew Hodson |
rust-regex (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2022-06-26 08:58:30 |
Mathew Hodson |
rust-regex (Ubuntu Impish): importance |
Undecided |
Medium |
|
| 2022-06-26 08:58:32 |
Mathew Hodson |
rust-regex (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2022-06-26 08:58:34 |
Mathew Hodson |
rust-regex (Ubuntu Kinetic): importance |
Undecided |
Medium |
|
| 2022-08-01 09:09:47 |
Eduardo Barretto |
rust-regex (Ubuntu Impish): status |
In Progress |
Won't Fix |
|
| 2022-09-14 07:22:48 |
Launchpad Janitor |
rust-regex (Ubuntu Jammy): status |
In Progress |
Fix Released |
|
| 2022-09-14 07:22:49 |
Launchpad Janitor |
rust-regex (Ubuntu Focal): status |
In Progress |
Fix Released |
|
