1196972 – (CVE-2022-24713) VUL-0: CVE-2022-24713: rust1.56,rust,rust1.55,rust1.59,rust1.54,rust1.57,rust1.43,rust1.53,rust1.58: regex crate is vulnerable;e to ReDoS

Bug 1196972 (CVE-2022-24713) - VUL-0: CVE-2022-24713: rust1.56,rust,rust1.55,rust1.59,rust1.54,rust1.57,rust1.43,rust1.53,rust1.58: regex crate is vulnerable;e to ReDoS

Summary: VUL-0: CVE-2022-24713: rust1.56,rust,rust1.55,rust1.59,rust1.54,rust1.57,rust...

Status:	NEW

Alias:	CVE-2022-24713

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/325578/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-24713:4.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-03-10 13:31 UTC by Thomas Leroy
Modified:	2024-09-09 16:04 UTC (History)
CC List:	29 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	stoyan.manolov: needinfo? (gnome-bugs) gianluca.gabrielli: needinfo? (kvm-bugs) gianluca.gabrielli: needinfo? (alarrosa) stoyan.manolov: needinfo?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-03-10 13:31:18 UTC

CVE-2022-24713

regex is an implementation of regular expressions for the Rust language. The
regex crate features built-in mitigations to prevent denial of service attacks
caused by untrusted regexes, or untrusted input matched by trusted regexes.
Those (tunable) mitigations already provide sane defaults to prevent attacks.
This guarantee is documented and it's considered part of the crate's API.
Unfortunately a bug was discovered in the mitigations designed to prevent
untrusted regexes to take an arbitrary amount of time during parsing, and it's
possible to craft regexes that bypass such mitigations. This makes it possible
to perform denial of service attacks by sending specially crafted regexes to
services accepting user-controlled, untrusted regexes. All versions of the regex
crate before or equal to 1.5.4 are affected by this issue. The fix is include
starting from regex 1.5.5. All users accepting user-controlled regexes are
recommended to upgrade immediately to the latest version of the regex crate.
Unfortunately there is no fixed set of problematic regexes, as there are
practically infinite regexes that could be crafted to exploit this
vulnerability. Because of this, it us not recommend to deny known problematic
regexes.

Upstream commit:
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24713
https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw

Comment 1 Thomas Leroy 2022-03-10 13:36:32 UTC

It seems that every rust packages that we ship contain the regex crate in the vendor, in a vulnerable version:
- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust	
- SUSE:SLE-15-SP3:Update/rust
- SUSE:SLE-15-SP3:Update/rust1.43
- SUSE:SLE-15-SP3:Update/rust1.53
- SUSE:SLE-15-SP3:Update/rust1.54
- SUSE:SLE-15-SP3:Update/rust1.55
- SUSE:SLE-15-SP3:Update/rust1.56
- SUSE:SLE-15-SP3:Update/rust1.57

I can't find the sources of SUSE:SLE-15-SP3:Update/rust1.58 and SUSE:SLE-15-SP3:Update/rust1.59, but it's likely that they are also affected

Comment 2 William Brown 2022-03-11 04:04:19 UTC

Thanks mate, I've updated the advisory-db and I'll start a scan of the repos ASAP. :)

Comment 3 William Brown 2022-03-11 04:04:53 UTC

Also worth saying it's only a risk if there is client-submitted regex patterns, so not all the packages that use regex will be vulnerable.

Comment 4 Thomas Leroy 2022-03-11 08:04:36 UTC

(In reply to William Brown from comment #2)
> Thanks mate, I've updated the advisory-db and I'll start a scan of the repos
> ASAP. :)

Perfect, many thanks William!

(In reply to William Brown from comment #3)
> Also worth saying it's only a risk if there is client-submitted regex
> patterns, so not all the packages that use regex will be vulnerable.

Yes you're totally right. The exploitation really depends on the context here, but we have to assume that such a context exists somewhere...

Comment 5 William Brown 2022-03-14 02:09:17 UTC

- the following pkgs need SECURITY updates to address RUSTSEC-2022-0013 - svc setup
osc bco utilities/treefetch
osc bco utilities/macchina
osc bco X11:Wayland/tuigreet
osc bco devel:languages:rust/cargo-audit
osc bco network:utilities/rustscan
osc bco devel:languages:rust/sccache
osc bco Base:System/pleaser
osc bco network:idm/kanidm
osc bco utilities/fd
osc bco network:utilities/dog
osc bco security/rage-encryption
osc bco devel:languages:rust/rustup
osc bco X11:Wayland/wayshot
osc bco editors/neovim-gtk
osc bco multimedia:apps/spotifyd
osc bco science/juliaup
- the following pkgs need SECURITY updates to address RUSTSEC-2022-0013 - manual
osc bco utilities/ripgrep
osc bco GNOME:Factory/gnome-tour
osc bco mozilla:Factory/mozjs91
osc bco multimedia:apps/helvum
osc bco network:utilities/newsboat
osc bco devel:tools:scm/pijul
osc bco GNOME:Apps/Fragments
osc bco GNOME:Apps/gnome-podcasts
osc bco security/parsec-tool
osc bco devel:kubic:ignition/afterburn
osc bco utilities/onefetch
osc bco devel:languages:python/python-cryptography
osc bco utilities/tealdeer
osc bco Cloud:Tools/aws-nitro-enclaves-cli
osc bco utilities/git-delta
osc bco editors/tree-sitter
osc bco multimedia:apps/netease-cloud-music-gtk
osc bco devel:languages:python/python-maturin
osc bco multimedia:libs/gstreamer-plugins-rs
osc bco devel:languages:python/python-adblock
osc bco GNOME:Factory/librsvg
osc bco GNOME:Apps/fractal
osc bco mozilla:Factory/mozjs78
osc bco utilities/xsv
osc bco devel:openSUSE:Factory:Apps/zypp-gui
osc bco utilities/bat
osc bco benchmark/hyperfine
osc bco Virtualization/firecracker
osc bco security/parsec
osc bco utilities/bottom



I can start on the "svc setup" members, but we'll need to contact the maintains for the packages in the "manual" section. Would you mind doing that part? I'm not sure what's the best way to mass bring people into this issue ....

Comment 10 OBSbugzilla Bot 2022-03-15 18:00:04 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/961976 Factory / rage-encryption

Comment 11 Thomas Leroy 2022-03-16 10:36:34 UTC

(In reply to William Brown from comment #5)
> - the following pkgs need SECURITY updates to address RUSTSEC-2022-0013 -
> manual
> osc bco utilities/ripgrep
> osc bco GNOME:Factory/gnome-tour
> osc bco mozilla:Factory/mozjs91
> osc bco multimedia:apps/helvum
> osc bco network:utilities/newsboat
> osc bco devel:tools:scm/pijul
> osc bco GNOME:Apps/Fragments
> osc bco GNOME:Apps/gnome-podcasts
> osc bco security/parsec-tool
> osc bco devel:kubic:ignition/afterburn
> osc bco utilities/onefetch
> osc bco devel:languages:python/python-cryptography
> osc bco utilities/tealdeer
> osc bco Cloud:Tools/aws-nitro-enclaves-cli
> osc bco utilities/git-delta
> osc bco editors/tree-sitter
> osc bco multimedia:apps/netease-cloud-music-gtk
> osc bco devel:languages:python/python-maturin
> osc bco multimedia:libs/gstreamer-plugins-rs
> osc bco devel:languages:python/python-adblock
> osc bco GNOME:Factory/librsvg
> osc bco GNOME:Apps/fractal
> osc bco mozilla:Factory/mozjs78
> osc bco utilities/xsv
> osc bco devel:openSUSE:Factory:Apps/zypp-gui
> osc bco utilities/bat
> osc bco benchmark/hyperfine
> osc bco Virtualization/firecracker
> osc bco security/parsec
> osc bco utilities/bottom

@Maintainers, could you please submit an update of the package(s) you maintain to a version that use the Regex crate >v1.5.5? :)

Comment 12 Guillaume GARDET 2022-03-16 10:42:05 UTC

security/parsec: upstream maintainers are already aware: https://github.com/parallaxsecond/parsec/issues/587

Next release (1.0.0) may not have the fix.

Comment 13 Olaf Hering 2022-03-16 10:44:36 UTC

Update requested: https://github.com/aws/aws-nitro-enclaves-cli/issues/359

Comment 14 Martin Sirringhaus 2022-03-16 10:50:12 UTC

git-delta update request: https://github.com/dandavison/delta/pull/1015

Comment 15 OBSbugzilla Bot 2022-03-16 16:40:04 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/962238 Backports:SLE-15-SP4 / firecracker

Comment 16 Adam Mizerski 2022-03-16 18:34:08 UTC

Update requested: https://gitlab.freedesktop.org/pipewire/helvum/-/issues/60

Comment 20 Jan Zerebecki 2022-03-17 13:27:59 UTC

https://github.com/coreos/afterburn/pull/723

Comment 22 OBSbugzilla Bot 2022-03-17 14:20:03 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/962474 Factory / aws-nitro-enclaves-cli

Comment 24 Michael Vetter 2022-03-18 13:40:33 UTC

Update requests:

bat - https://github.com/sharkdp/bat/issues/2125
newsboat - https://github.com/newsboat/newsboat/issues/2008
onefetch - https://github.com/o2sh/onefetch/issues/619

Comment 27 OBSbugzilla Bot 2022-03-31 09:50:03 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/966164 Backports:SLE-15-SP4 / parsec-tool

Comment 28 OBSbugzilla Bot 2022-05-09 10:40:03 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/975746 Factory / pijul

Comment 29 Marcus Meissner 2022-09-22 07:24:52 UTC

from my crates script on SLE:

SUSE:SLE-15-SP2:Update,librsvg,regex,1.4.5
SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,regex,1.5.4
SUSE:SLE-15-SP3:Update,rustup,regex,1.5.4
SUSE:SLE-15-SP3:Update,sccache,regex,1.5.4
SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,regex,1.5.4
SUSE:SLE-15-SP4:Update,cargo-c,regex,1.5.4
SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,regex,1.5.4
SUSE:SLE-15-SP4:Update,librsvg,regex,1.5.4
SUSE:SLE-15-SP4:Update,rav1e,regex,1.5.4
SUSE:SLE-15-SP4:Update,rustup,regex,1.5.4
SUSE:SLE-15-SP4:Update,sccache,regex,1.5.4
SUSE:SLE-15:Update,librsvg,regex,0.2.11

i added those as affected to the SMASH issue.

Comment 30 William Brown 2022-09-26 05:27:49 UTC

(In reply to Marcus Meissner from comment #29)

I am not the owner of the following, and their respective maintainers will need to be contacted to have these updated.

> 
> SUSE:SLE-15-SP2:Update,librsvg,regex,1.4.5
> SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,regex,1.5.4
> SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,regex,1.5.4
> SUSE:SLE-15-SP4:Update,cargo-c,regex,1.5.4
> SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,regex,1.5.4
> SUSE:SLE-15-SP4:Update,librsvg,regex,1.5.4
> SUSE:SLE-15-SP4:Update,rav1e,regex,1.5.4
> SUSE:SLE-15:Update,librsvg,regex,0.2.11


I am the owner of the following and will update them ASAP.

> SUSE:SLE-15-SP3:Update,rustup,regex,1.5.4
> SUSE:SLE-15-SP3:Update,sccache,regex,1.5.4
> SUSE:SLE-15-SP4:Update,rustup,regex,1.5.4
> SUSE:SLE-15-SP4:Update,sccache,regex,1.5.4

Comment 31 Thomas Leroy 2022-09-26 15:16:27 UTC

(In reply to William Brown from comment #30)
> (In reply to Marcus Meissner from comment #29)
> 
> I am not the owner of the following, and their respective maintainers will
> need to be contacted to have these updated.
> 

gnome-bugs@suse.de
> > SUSE:SLE-15-SP2:Update,librsvg,regex,1.4.5
> > SUSE:SLE-15-SP4:Update,librsvg,regex,1.5.4
> > SUSE:SLE-15:Update,librsvg,regex,0.2.11
> > SUSE:SLE-15-SP4:Update,rav1e,regex,1.5.4

microos-bugs@suse.de
> > SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,regex,1.5.4

kvm-bugs@suse.de
> > SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,regex,1.5.4

alarrosa@suse.com
> > SUSE:SLE-15-SP4:Update,cargo-c,regex,1.5.4
> > SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,regex,1.5.4

Comment 34 Swamp Workflow Management 2022-11-11 20:48:38 UTC

SUSE-SU-2022:3949-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194119,1196972
CVE References: CVE-2021-45710,CVE-2022-24713
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    rustup-1.25.1~0-150300.7.13.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    rustup-1.25.1~0-150300.7.13.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 35 Swamp Workflow Management 2022-11-18 17:23:45 UTC

SUSE-SU-2022:4073-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1181400,1194119,1196972
CVE References: CVE-2021-45710,CVE-2022-24713
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    sccache-0.3.0~git5.14a4b8b-150300.7.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    sccache-0.3.0~git5.14a4b8b-150300.7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 44 Maintenance Automation 2023-04-14 16:30:58 UTC

SUSE-SU-2023:1844-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1196972, 1208555
CVE References: CVE-2022-24713, CVE-2022-31394
Sources used:
openSUSE Leap 15.4 (src): aws-nitro-enclaves-cli-1.2.2~git0.4ccc639-150400.3.3.1
Public Cloud Module 15-SP4 (src): aws-nitro-enclaves-cli-1.2.2~git0.4ccc639-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 50 Maintenance Automation 2023-09-05 12:41:52 UTC

SUSE-SU-2023:3526-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1181400, 1194119, 1196972, 1208553, 1212407
CVE References: CVE-2021-45710, CVE-2022-24713, CVE-2022-31394, CVE-2023-1521
Sources used:
openSUSE Leap 15.4 (src): sccache-0.4.2~3-150400.3.3.1
openSUSE Leap 15.5 (src): sccache-0.4.2~3-150400.3.3.1
Development Tools Module 15-SP4 (src): sccache-0.4.2~3-150400.3.3.1
Development Tools Module 15-SP5 (src): sccache-0.4.2~3-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 51 OBSbugzilla Bot 2023-12-18 09:35:08 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/1133800 Backports:SLE-15-SP5 / kanidm

Comment 52 OBSbugzilla Bot 2024-06-13 05:35:05 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/1180285 Backports:SLE-15-SP6 / kanidm

Comment 53 OBSbugzilla Bot 2024-08-07 07:05:06 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/1192072 Backports:SLE-15-SP6 / kanidm

Comment 54 OBSbugzilla Bot 2024-08-08 03:45:05 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/1192441 Backports:SLE-15-SP6 / kanidm

Comment 55 OBSbugzilla Bot 2024-08-10 01:35:04 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/1193079 Backports:SLE-15-SP6 / kanidm

Comment 56 OBSbugzilla Bot 2024-08-20 03:45:05 UTC

This is an autogenerated message for OBS integration:
This bug (1196972) was mentioned in
https://build.opensuse.org/request/show/1194807 Backports:SLE-15-SP6 / kanidm

Comment 58 Marcus Meissner 2024-09-09 16:04:55 UTC

openSUSE-SU-2024:0294-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1191031,1194119,1196972,1210356
CVE References: CVE-2021-45710,CVE-2022-24713,CVE-2023-26964
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP6 (src):    kanidm-1.3.3~git0.f075d13-bp156.4.1

aavindraa
adam
alarrosa
bitdealer
bjorn.lie
gianluca.gabrielli
gnome-bugs
guillaume.gardet
guillaume.gardet
idesmi
igonzalezsosa
jubalh
jzerebecki
kvm-bugs
ly
mardnh
martin.sirringhaus
mcepl
meissner
mia
microos-bugs
mvetter
ohering
os.gnome.maintainers
smash_bz
stoyan.manolov
william.brown
wolfgang
xiaoguang.wang