Bug 1196972 - (CVE-2022-24713) VUL-0: CVE-2022-24713: rust1.56,rust,rust1.55,rust1.59,rust1.54,rust1.57,rust1.43,rust1.53,rust1.58: regex crate is vulnerable;e to ReDoS
(CVE-2022-24713)
VUL-0: CVE-2022-24713: rust1.56,rust,rust1.55,rust1.59,rust1.54,rust1.57,rust...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: William Brown
Security Team bot
https://smash.suse.de/issue/325578/
CVSSv3.1:SUSE:CVE-2022-24713:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-10 13:31 UTC by Thomas Leroy
Modified: 2022-11-18 17:23 UTC (History)
26 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-10 13:31:18 UTC
CVE-2022-24713

regex is an implementation of regular expressions for the Rust language. The
regex crate features built-in mitigations to prevent denial of service attacks
caused by untrusted regexes, or untrusted input matched by trusted regexes.
Those (tunable) mitigations already provide sane defaults to prevent attacks.
This guarantee is documented and it's considered part of the crate's API.
Unfortunately a bug was discovered in the mitigations designed to prevent
untrusted regexes to take an arbitrary amount of time during parsing, and it's
possible to craft regexes that bypass such mitigations. This makes it possible
to perform denial of service attacks by sending specially crafted regexes to
services accepting user-controlled, untrusted regexes. All versions of the regex
crate before or equal to 1.5.4 are affected by this issue. The fix is include
starting from regex 1.5.5. All users accepting user-controlled regexes are
recommended to upgrade immediately to the latest version of the regex crate.
Unfortunately there is no fixed set of problematic regexes, as there are
practically infinite regexes that could be crafted to exploit this
vulnerability. Because of this, it us not recommend to deny known problematic
regexes.

Upstream commit:
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24713
https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
Comment 1 Thomas Leroy 2022-03-10 13:36:32 UTC
It seems that every rust packages that we ship contain the regex crate in the vendor, in a vulnerable version:
- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust	
- SUSE:SLE-15-SP3:Update/rust
- SUSE:SLE-15-SP3:Update/rust1.43
- SUSE:SLE-15-SP3:Update/rust1.53
- SUSE:SLE-15-SP3:Update/rust1.54
- SUSE:SLE-15-SP3:Update/rust1.55
- SUSE:SLE-15-SP3:Update/rust1.56
- SUSE:SLE-15-SP3:Update/rust1.57

I can't find the sources of SUSE:SLE-15-SP3:Update/rust1.58 and SUSE:SLE-15-SP3:Update/rust1.59, but it's likely that they are also affected
Comment 2 William Brown 2022-03-11 04:04:19 UTC
Thanks mate, I've updated the advisory-db and I'll start a scan of the repos ASAP. :)
Comment 3 William Brown 2022-03-11 04:04:53 UTC
Also worth saying it's only a risk if there is client-submitted regex patterns, so not all the packages that use regex will be vulnerable.
Comment 4 Thomas Leroy 2022-03-11 08:04:36 UTC
(In reply to William Brown from comment #2)
> Thanks mate, I've updated the advisory-db and I'll start a scan of the repos
> ASAP. :)

Perfect, many thanks William!

(In reply to William Brown from comment #3)
> Also worth saying it's only a risk if there is client-submitted regex
> patterns, so not all the packages that use regex will be vulnerable.

Yes you're totally right. The exploitation really depends on the context here, but we have to assume that such a context exists somewhere...
Comment 5 William Brown 2022-03-14 02:09:17 UTC
- the following pkgs need SECURITY updates to address RUSTSEC-2022-0013 - svc setup
osc bco utilities/treefetch
osc bco utilities/macchina
osc bco X11:Wayland/tuigreet
osc bco devel:languages:rust/cargo-audit
osc bco network:utilities/rustscan
osc bco devel:languages:rust/sccache
osc bco Base:System/pleaser
osc bco network:idm/kanidm
osc bco utilities/fd
osc bco network:utilities/dog
osc bco security/rage-encryption
osc bco devel:languages:rust/rustup
osc bco X11:Wayland/wayshot
osc bco editors/neovim-gtk
osc bco multimedia:apps/spotifyd
osc bco science/juliaup
- the following pkgs need SECURITY updates to address RUSTSEC-2022-0013 - manual
osc bco utilities/ripgrep
osc bco GNOME:Factory/gnome-tour
osc bco mozilla:Factory/mozjs91
osc bco multimedia:apps/helvum
osc bco network:utilities/newsboat
osc bco devel:tools:scm/pijul
osc bco GNOME:Apps/Fragments
osc bco GNOME:Apps/gnome-podcasts
osc bco security/parsec-tool
osc bco devel:kubic:ignition/afterburn
osc bco utilities/onefetch
osc bco devel:languages:python/python-cryptography
osc bco utilities/tealdeer
osc bco Cloud:Tools/aws-nitro-enclaves-cli
osc bco utilities/git-delta
osc bco editors/tree-sitter
osc bco multimedia:apps/netease-cloud-music-gtk
osc bco devel:languages:python/python-maturin
osc bco multimedia:libs/gstreamer-plugins-rs
osc bco devel:languages:python/python-adblock
osc bco GNOME:Factory/librsvg
osc bco GNOME:Apps/fractal
osc bco mozilla:Factory/mozjs78
osc bco utilities/xsv
osc bco devel:openSUSE:Factory:Apps/zypp-gui
osc bco utilities/bat
osc bco benchmark/hyperfine
osc bco Virtualization/firecracker
osc bco security/parsec
osc bco utilities/bottom



I can start on the "svc setup" members, but we'll need to contact the maintains for the packages in the "manual" section. Would you mind doing that part? I'm not sure what's the best way to mass bring people into this issue ....
Comment 10 OBSbugzilla Bot 2022-03-15 18:00:04 UTC
This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/961976 Factory / rage-encryption
Comment 11 Thomas Leroy 2022-03-16 10:36:34 UTC
(In reply to William Brown from comment #5)
> - the following pkgs need SECURITY updates to address RUSTSEC-2022-0013 -
> manual
> osc bco utilities/ripgrep
> osc bco GNOME:Factory/gnome-tour
> osc bco mozilla:Factory/mozjs91
> osc bco multimedia:apps/helvum
> osc bco network:utilities/newsboat
> osc bco devel:tools:scm/pijul
> osc bco GNOME:Apps/Fragments
> osc bco GNOME:Apps/gnome-podcasts
> osc bco security/parsec-tool
> osc bco devel:kubic:ignition/afterburn
> osc bco utilities/onefetch
> osc bco devel:languages:python/python-cryptography
> osc bco utilities/tealdeer
> osc bco Cloud:Tools/aws-nitro-enclaves-cli
> osc bco utilities/git-delta
> osc bco editors/tree-sitter
> osc bco multimedia:apps/netease-cloud-music-gtk
> osc bco devel:languages:python/python-maturin
> osc bco multimedia:libs/gstreamer-plugins-rs
> osc bco devel:languages:python/python-adblock
> osc bco GNOME:Factory/librsvg
> osc bco GNOME:Apps/fractal
> osc bco mozilla:Factory/mozjs78
> osc bco utilities/xsv
> osc bco devel:openSUSE:Factory:Apps/zypp-gui
> osc bco utilities/bat
> osc bco benchmark/hyperfine
> osc bco Virtualization/firecracker
> osc bco security/parsec
> osc bco utilities/bottom

@Maintainers, could you please submit an update of the package(s) you maintain to a version that use the Regex crate >v1.5.5? :)
Comment 12 Guillaume GARDET 2022-03-16 10:42:05 UTC
security/parsec: upstream maintainers are already aware: https://github.com/parallaxsecond/parsec/issues/587

Next release (1.0.0) may not have the fix.
Comment 13 Olaf Hering 2022-03-16 10:44:36 UTC
Update requested: https://github.com/aws/aws-nitro-enclaves-cli/issues/359
Comment 14 Martin Sirringhaus 2022-03-16 10:50:12 UTC
git-delta update request: https://github.com/dandavison/delta/pull/1015
Comment 15 OBSbugzilla Bot 2022-03-16 16:40:04 UTC
This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/962238 Backports:SLE-15-SP4 / firecracker
Comment 16 Adam Mizerski 2022-03-16 18:34:08 UTC
Update requested: https://gitlab.freedesktop.org/pipewire/helvum/-/issues/60
Comment 20 Jan Zerebecki 2022-03-17 13:27:59 UTC
https://github.com/coreos/afterburn/pull/723
Comment 22 OBSbugzilla Bot 2022-03-17 14:20:03 UTC
This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/962474 Factory / aws-nitro-enclaves-cli
Comment 27 OBSbugzilla Bot 2022-03-31 09:50:03 UTC
This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/966164 Backports:SLE-15-SP4 / parsec-tool
Comment 28 OBSbugzilla Bot 2022-05-09 10:40:03 UTC
This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/975746 Factory / pijul
Comment 29 Marcus Meissner 2022-09-22 07:24:52 UTC
from my crates script on SLE:

SUSE:SLE-15-SP2:Update,librsvg,regex,1.4.5
SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,regex,1.5.4
SUSE:SLE-15-SP3:Update,rustup,regex,1.5.4
SUSE:SLE-15-SP3:Update,sccache,regex,1.5.4
SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,regex,1.5.4
SUSE:SLE-15-SP4:Update,cargo-c,regex,1.5.4
SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,regex,1.5.4
SUSE:SLE-15-SP4:Update,librsvg,regex,1.5.4
SUSE:SLE-15-SP4:Update,rav1e,regex,1.5.4
SUSE:SLE-15-SP4:Update,rustup,regex,1.5.4
SUSE:SLE-15-SP4:Update,sccache,regex,1.5.4
SUSE:SLE-15:Update,librsvg,regex,0.2.11

i added those as affected to the SMASH issue.
Comment 30 William Brown 2022-09-26 05:27:49 UTC
(In reply to Marcus Meissner from comment #29)

I am not the owner of the following, and their respective maintainers will need to be contacted to have these updated.

> 
> SUSE:SLE-15-SP2:Update,librsvg,regex,1.4.5
> SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,regex,1.5.4
> SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,regex,1.5.4
> SUSE:SLE-15-SP4:Update,cargo-c,regex,1.5.4
> SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,regex,1.5.4
> SUSE:SLE-15-SP4:Update,librsvg,regex,1.5.4
> SUSE:SLE-15-SP4:Update,rav1e,regex,1.5.4
> SUSE:SLE-15:Update,librsvg,regex,0.2.11


I am the owner of the following and will update them ASAP.

> SUSE:SLE-15-SP3:Update,rustup,regex,1.5.4
> SUSE:SLE-15-SP3:Update,sccache,regex,1.5.4
> SUSE:SLE-15-SP4:Update,rustup,regex,1.5.4
> SUSE:SLE-15-SP4:Update,sccache,regex,1.5.4
Comment 31 Thomas Leroy 2022-09-26 15:16:27 UTC
(In reply to William Brown from comment #30)
> (In reply to Marcus Meissner from comment #29)
> 
> I am not the owner of the following, and their respective maintainers will
> need to be contacted to have these updated.
> 

gnome-bugs@suse.de
> > SUSE:SLE-15-SP2:Update,librsvg,regex,1.4.5
> > SUSE:SLE-15-SP4:Update,librsvg,regex,1.5.4
> > SUSE:SLE-15:Update,librsvg,regex,0.2.11
> > SUSE:SLE-15-SP4:Update,rav1e,regex,1.5.4

microos-bugs@suse.de
> > SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,regex,1.5.4

kvm-bugs@suse.de
> > SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,regex,1.5.4

alarrosa@suse.com
> > SUSE:SLE-15-SP4:Update,cargo-c,regex,1.5.4
> > SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,regex,1.5.4
Comment 34 Swamp Workflow Management 2022-11-11 20:48:38 UTC
SUSE-SU-2022:3949-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194119,1196972
CVE References: CVE-2021-45710,CVE-2022-24713
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    rustup-1.25.1~0-150300.7.13.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    rustup-1.25.1~0-150300.7.13.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Swamp Workflow Management 2022-11-18 17:23:45 UTC
SUSE-SU-2022:4073-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1181400,1194119,1196972
CVE References: CVE-2021-45710,CVE-2022-24713
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    sccache-0.3.0~git5.14a4b8b-150300.7.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    sccache-0.3.0~git5.14a4b8b-150300.7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.