Update regex crate in-tree to 1.5.5
Categories
(Core :: General, enhancement, P1)
Tracking
()
People
(Reporter: janerik, Assigned: janerik)
Details
(Keywords: csectype-dos, sec-low, Whiteboard: [adv-main99+][adv-esr91.8+])
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
|
332 bytes,
text/plain
|
Details |
As per https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html (CVE-2022-24713) the regex crate is vulnerable to DoS attacks as it didn't properly limit the complexity of expressions it parses.
This is fixed in 1.5.5.
I don't know where and how we use the crate in Gecko.
Cargo.toml in tree: https://searchfox.org/mozilla-central/rev/15f12b0c6c56b449304f6cb1f84ac4df84dc936a/third_party/rust/regex/Cargo.toml#16
|
Assignee | |
Comment 1•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
Update regex crate to 1.5.5 r=emilio
https://hg.mozilla.org/integration/autoland/rev/ba7c9ff2d0b2750a14ec3a60118a6a0e82e799ae
https://hg.mozilla.org/mozilla-central/rev/ba7c9ff2d0b2
|
||
Comment 3•3 years ago
|
||
Not sure we really need to backport this if it's only a sec-low, but I kind of feel like we're going to see duplicate reports if we don't given the upstream CVE. This grafts cleanly to Beta and ESR, so IMO we might as well move forward with approval requests when you get a chance.
|
|
Assignee | |
Comment 4•3 years ago
|
||
Should be a non-risky uplift, I agree.
For all I know we should not be vulnerable (at least a quick look through our code base didn't uncover anything), but better be safe than sorry.
|
|
Assignee | |
Comment 5•3 years ago
|
||
Comment on attachment 9266858 [details]
Bug 1758509 - Update regex crate to 1.5.5 r?emilio,glandium
Beta/Release Uplift Approval Request
- User impact if declined: The regex crate has a vulnerability, that can lead to a Denial of Service if exposed to malicious regular expressions.
It's unlikely that we expose such a code path anywhere in the m-c codebase, but we didn't fully verify that this holds. - Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Patch version update of a Rust dependency. The regex crate is only used internally, if at all. Unlikely that we even expose the vulnerable code path to users anywhere.
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: CVE for a Rust dependency, unlikely to be hit in our code base. It applies cleanly for both Beta and ESR and thus might just avoid us getting more reports about it.
- User impact if declined: The regex crate has a vulnerability, that can lead to a Denial of Service if exposed to malicious regular expressions.
It's unlikely that we expose such a code path anywhere in the m-c codebase, but we didn't fully verify that this holds. - Fix Landed on Version: 100
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Patch version update of a Rust dependency. The regex crate is only used internally, if at all. Unlikely that we even expose the vulnerable code path to users anywhere.
|
||
Comment 6•3 years ago
|
||
Comment on attachment 9266858 [details]
Bug 1758509 - Update regex crate to 1.5.5 r?emilio,glandium
Approved for 99.0b3. Thanks.
|
|
||
Comment 7•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9266858 [details]
Bug 1758509 - Update regex crate to 1.5.5 r?emilio,glandium
Approved for 91.8esr.
|
|
||
Comment 9•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 10•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•