Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5610-1

Ubuntu Security Notice 5610-1 - Addison Crump discovered that rust-regex did not properly limit the complexity of the regular expressions it parses. An attacker could possibly use this issue to cause a denial of service.

Packet Storm
#vulnerability#ubuntu#dos#perl

==========================================================================
Ubuntu Security Notice USN-5610-1
September 14, 2022

rust-regex vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS

Summary:

rust-regex could be made to crash if it received specially crafted
input.

Software Description:

  • rust-regex: Regular expressions for Rust

Details:

Addison Crump discovered that rust-regex did not properly limit
the complexity of the regular expressions (regex) it parses.
An attacker could possibly use this issue to cause a denial of
service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
librust-regex-dev 1.5.4-1ubuntu0.1

Ubuntu 20.04 LTS:
librust-regex-dev 1.2.1-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5610-1
CVE-2022-24713

Package Information:
https://launchpad.net/ubuntu/+source/rust-regex/1.5.4-1ubuntu0.1
https://launchpad.net/ubuntu/+source/rust-regex/1.2.1-3ubuntu0.1

Related news

CVE-2022-1196: Security Vulnerabilities fixed in Thunderbird 91.8

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.

CVE-2022-28287: Security Vulnerabilities fixed in Firefox 99

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. This vulnerability affects Firefox < 99.

Gentoo Linux Security Advisory 202208-14

Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.

Gentoo Linux Security Advisory 202208-08

Gentoo Linux Security Advisory 202208-8 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0:esr are affected.

CVE-2022-24713

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex cra...

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13