[CVE-2022-24713] Denial of service in compiler with rust-regex
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rust-regex (Ubuntu) |
Fix Released
|
Medium
|
Joshua Peisach | ||
Focal |
Fix Released
|
Medium
|
David Fernandez Gonzalez | ||
Impish |
Won't Fix
|
Medium
|
David Fernandez Gonzalez | ||
Jammy |
Fix Released
|
Medium
|
David Fernandez Gonzalez | ||
Kinetic |
Fix Released
|
Medium
|
Joshua Peisach |
Bug Description
There is a denial of service in rust-regex. Below is an SRU template to prepare for patching CVE-2022-24713.
[Impact]
* The rust compile can compile a regex an empty sub-expression as many times as wanted.
* Take '(?:){294967295}' - this would make the regex compiler compile 294967295 times.
* This results in a denial of service; there wouldnt be a crash but the compiler would take forever and eventually get there.
* An attacker could use this amount of time it takes for the compiler to parse this regex to perform DoS attacks
[Test Plan]
* Take a regex from the regex crate that is still vulnerable - get pre 1.5.5.
* Use one of the test cases provided in the fix commit https:/
* Building using the old regex would take forever, but the fix would take a shorter time.
[Where problems could occur]
* An integer overflow might still be able to cause a regex overload
* Changes to the rust libraries/packages and other SRUs may create regressions with updates that may outdate the library
* This fix adds a fake amount of memory any time a regex empty sub-expression is compiiled, and then adds to the Inst in the existing indirect heap usage.
* This means maybe an attacker could overload the amount of Regex's and make compiling impossible? Memory may be lost in very specific situations, or a heap buffer issue can occur
[Other Info]
* Impacts Focal, Impish, Jammy
* Links:
https:/
https:/
https:/
https:/
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: librust-regex-dev 1.5.4-1
ProcVersionSign
Uname: Linux 5.15.0-30-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckM
CasperMD5CheckR
CurrentDesktop: Unity:Unity7:ubuntu
Date: Sun Jun 5 18:26:32 2022
InstallationDate: Installed on 2022-04-22 (44 days ago)
InstallationMedia: Ubuntu Unity 22.04
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: rust-regex
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
description: | updated |
Changed in rust-regex (Ubuntu): | |
assignee: | nobody → Joshua Peisach (itzswirlz) |
Changed in rust-regex (Ubuntu): | |
status: | New → In Progress |
Changed in rust-regex (Ubuntu Jammy): | |
assignee: | nobody → Joshua Peisach (itzswirlz) |
status: | New → In Progress |
Changed in rust-regex (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in rust-regex (Ubuntu Impish): | |
importance: | Undecided → Medium |
Changed in rust-regex (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in rust-regex (Ubuntu Kinetic): | |
importance: | Undecided → Medium |
Changed in rust-regex (Ubuntu Impish): | |
status: | In Progress → Won't Fix |
The attachment "Proposed Jammy Patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]