As soon as the fix lands in all Rust sub-releases, users can safely upgrade to the latest version of regex . We suggest to avoid using user-controlled, untrusted regexes until the issue is resolved. The latest version of the regex crate can be found on Cargo.lock with the following commit message: As soon as the fix lands in all Rust sub-releases, users can safely upgrade to the latest version of. We suggest to avoid using user-controlled, untrusted regexes until the issue is resolved. The latest version of thecrate can be found on Cargo.lock with the following commit message: This issue was discovered by Remi Coulom. Thank you Remi for reporting it! The fix is currently being considered for Rust 1.30, but we'll update this announcement when the 1.30-release train leaves the station. We recommend all users to update to the latest version as soon.
What to do if you're using a user-controlled, untrusted regex
In order to reduce the risk of unexpected behavior, we recommend all users to update to the latest version of the regex crate.
As soon as the fix lands in all Rust sub-releases, users can safely upgrade to the latest version of the regex crate.
As soon as the fix lands in all Rust sub-releases, users can safely upgrade to the latest version of.
Upgrade to latest version using nightly build
If you're on a nightly build, use the following command to compile your own version of regex :
rustup component add rust-lang-ci/rust-std-libs/rust-regex rustup component add rust-lang/nightly
What to do if you are using a user-controlled, untrusted regex
If you are using a user-controlled, untrusted regex and upgraded to the latest version of regex , you can safely use it again.
Not yet published
This issue was discovered by Remi Coulom. Thank you Remi for reporting it! The fix is currently being considered for Rust 1.30, but we'll update this announcement when the 1.30-release train leaves the station. We recommend all users to update to the latest version as soon.
Timeline
Published on: 03/08/2022 19:15:00 UTC
Last modified on: 08/10/2022 20:15:00 UTC
References
- https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
- https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
- https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/
- https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html
- https://www.debian.org/security/2022/dsa-5113
- https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html
- https://www.debian.org/security/2022/dsa-5118
- https://security.gentoo.org/glsa/202208-14
- https://security.gentoo.org/glsa/202208-08
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24713