[CVE-2022-24713] Denial of service in compiler with rust-regex

The attachment "Proposed Jammy Patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Ubuntu Kinetic - Fixed from Debian release 1.55.5-1

rust-regex (1.5.5-1) unstable; urgency=medium

  * Package regex 1.5.5 from crates.io using debcargo 2.5.0
  * Fixes a security issue - CVE-2022-24713 (Closes: #1007176)

 -- Sylvestre Ledru <email address hidden> Wed, 16 Mar 2022 10:33:32 +0100

Hi Joshua,

Thanks for taking the time and providing this debdiff!
My colleague David will be taking a look at it.

Hi guys, FYI I did not receive a notification/update when rust-regex was pushed to security proposed. But no problem; when I get back from vacation I'll test it.

Hi, we didn't make any announcement about it because we are still working on the approach to take to rebuild the packages affected by this update. That's why we only have published the update under proposed but please, any testing you can perform is very welcome. We will provide any updates on this asap. Thank you.

No problem! I tested Focal and indeed the patch works.

This bug was fixed in the package rust-regex - 1.5.4-1ubuntu0.1

---------------
rust-regex (1.5.4-1ubuntu0.1) jammy-security; urgency=high

  * SECURITY UPDATE: fix denial-of-service bug in compiler
    (CVE-2022-24713) (LP: #1977694)

 -- Joshua Peisach <email address hidden> Sun, 05 Jun 2022 16:36:11 -0400

This bug was fixed in the package rust-regex - 1.2.1-3ubuntu0.1

---------------
rust-regex (1.2.1-3ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: fix denial-of-service bug in compiler (LP: #1977694)
    - debian/patches/CVE-2022-24713-pre.patch: support empty patterns
    in src/compile.rs.
    - debian/patches/CVE-2022-24713-pre2.patch: account for Unicode
    class size in regex compilation error in src/compile.rs.
    - debian/patches/CVE-2022-24713.patch: adding a fake amount of
    memory every time we compile an empty sub-expression in
    src/compile.rs.
    - CVE-2022-24713

 -- David Fernandez Gonzalez <email address hidden> Tue, 21 Jun 2022 09:14:36 -0500

Updates for focal and jammy released. More information here: https://ubuntu.com/security/notices/USN-5610-1

The following related packages have been rebuilt to include the security update:

* rust-bat
* rust-bindgen
* rust-debcargo
* rust-dfrs
* rust-fd-find
* rust-hyperfine
* rust-lalrpop
* rust-markdown
* rust-pleaser
* rust-ripgrep
* rust-rustfilt
* rust-sequoia-keyring-linter
* rust-sequoia-sop
* rust-sequoia-sq
* rust-sniffglue
* rust-ucd-generate

Sorry for being slow - thanks for releasing!