Update Rust crate regex to 1.5.5 [SECURITY] #67
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
dff02bb to
3f4d339
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
3f4d339 to
0dff61c
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
0dff61c to
673dd64
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
673dd64 to
4445c29
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
4445c29 to
949ebb5
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
949ebb5 to
a60e697
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
a60e697 to
76caf21
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
76caf21 to
6144851
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
6144851 to
d721f80
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
d721f80 to
0edc158
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
0edc158 to
1e11382
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
1e11382 to
63bb22a
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
63bb22a to
80a2731
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-regex-vulnerability
branch
from
80a2731 to
a69cb02
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.0->1.5.5GitHub Vulnerability Alerts
CVE-2022-24713
The Rust Security Response WG was notified that the
regexcrate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the
regexcrate is used to parse untrusted regexes. Other uses of theregexcrate are not affected by this vulnerability.Overview
The
regexcrate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.
Affected versions
All versions of the
regexcrate before or equal to 1.5.4 are affected by this issue. The fix is include starting fromregex1.5.5.Mitigations
We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the
regexcrate.Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.
Acknowledgements
We want to thank Addison Crump for responsibly disclosing this to us according to the Rust security policy, and for helping review the fix.
We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.
Release Notes
rust-lang/regex (regex)
v1.5.5Compare Source
==================
This releases fixes a security bug in the regex compiler. This bug permits a
vector for a denial-of-service attack in cases where the regex being compiled
is untrusted. There are no known problems where the regex is itself trusted,
including in cases of untrusted haystacks.
Fixes a bug in the regex compiler where empty sub-expressions subverted the
existing mitigations in place to enforce a size limit on compiled regexes.
The Rust Security Response WG published an advisory about this:
https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
v1.5.4Compare Source
==================
This release fixes another compilation failure when building regex. This time,
the fix is for when the
patternfeature is enabled, which only works onnightly Rust. CI has been updated to test this case.
Fix build when
patternfeature is enabled.v1.5.3Compare Source
==================
This releases fixes a bug when building regex with only the
unicode-perlfeature. It turns out that while CI was building this configuration, it wasn't
actually failing the overall build on a failed compilation.
Fix build in
regex-syntaxwhen only theunicode-perlfeature is enabled.v1.5.2Compare Source
==================
This release fixes a performance bug when Unicode word boundaries are used.
Namely, for certain regexes on certain inputs, it's possible for the lazy DFA
to stop searching (causing a fallback to a slower engine) when it doesn't
actually need to.
PR #768 fixes the bug, which was
originally reported in
ripgrep#1860.
v1.5.1Compare Source
==================
This is a patch release that fixes a compilation error when the
perf-literalfeature is not enabled.
v1.5.0Compare Source
==================
This release primarily updates to Rust 2018 (finally) and bumps the MSRV to
Rust 1.41 (from Rust 1.28). Rust 1.41 was chosen because it's still reasonably
old, and is what's in Debian stable at the time of writing.
This release also drops this crate's own bespoke substring search algorithms
in favor of a new
memmemimplementation provided by thememchrcrate.This will change the performance profile of some regexes, sometimes getting a
little worse, and hopefully more frequently, getting a lot better. Please
report any serious performance regressions if you find them.
v1.4.6Compare Source
==================
This is a small patch release that fixes the compiler's size check on how much
heap memory a regex uses. Previously, the compiler did not account for the
heap usage of Unicode character classes. Now it does. It's possible that this
may make some regexes fail to compile that previously did compile. If that
happens, please file an issue.
Some regexes can use more heap memory than one would expect.
v1.4.5Compare Source
==================
This is a small patch release that fixes a regression in the size of a
Regexin the 1.4.4 release. Prior to 1.4.4, a
Regexwas 552 bytes. In the 1.4.4release, it was 856 bytes due to internal changes. In this release, a
Regexis now 16 bytes. In general, the size of a
Regexwas never something that wason my radar, but this increased size in the 1.4.4 release seems to have crossed
a threshold and resulted in stack overflows in some programs.
Fixes stack overflows seemingly caused by a large
Regexsize by decreasingits size.
v1.4.4Compare Source
==================
This is a small patch release that contains some bug fixes. Notably, it also
drops the
thread_local(andlazy_static, via transitivity) dependencies.Bug fixes:
Memory leaks caused by an internal caching strategy should now be fixed.
All regex types now implement
UnwindSafeandRefUnwindSafe.Add missing
Replacerimpls forVec<u8>,String,Cow, etc.v1.4.3Compare Source
==================
This is a small patch release that adds some missing standard trait
implementations for some types in the public API.
Bug fixes:
Add
FusedIteratorandExactSizeIteratorimpls to iterator types.Add missing
Debugimpls to public API types.v1.4.2Compare Source
==================
This is a small bug fix release that bans
\P{any}. We previously banned emptyclasses like
[^\w\W], but missed the\P{any}case. In the future, we hopeto permit empty classes.
Ban
\P{any}to avoid a panic in the regex compiler. Found by OSS-Fuzz.v1.4.1Compare Source
==================
This is a small bug fix release that makes
\p{cf}work. Previously, it wouldreport "property not found" even though
cfis a valid abbreviation for theFormatgeneral category.Fixes bug that prevented
\p{cf}from working.v1.4.0Compare Source
==================
This releases has a few minor documentation fixes as well as some very minor
API additions. The MSRV remains at Rust 1.28 for now, but this is intended to
increase to at least Rust 1.41.1 soon.
This release also adds support for OSS-Fuzz. Kudos to
@DavidKorczynski
for doing the heavy lifting for that!
New features:
Support
[,]and.in capture group names.Add
is_emptypredicate toRegexSet.Implement
CloneforSubCaptureMatches.Add
emptyconstructor toRegexSetfor convenience.Bug fixes:
Fix doc example for
Replacer::replace_append.Clarify docs for
sflag when using abytes::Regex.Clarify
is_matchdocs to indicate that it can match anywhere in string.v1.3.9Compare Source
==================
This release fixes a MSRV (Minimum Support Rust Version) regression in the
1.3.8 release. Namely, while 1.3.8 compiles on Rust 1.28, it actually does not
compile on other Rust versions, such as Rust 1.39.
Bug fixes:
Remove use of
doc_commentcrate, which cannot be used before Rust 1.43.v1.3.8Compare Source
==================
This release contains a couple of important bug fixes driven
by better support for empty-subexpressions in regexes. For
example, regexes like
b|are now allowed. Major thanks to@sliquister for implementing support for this
in #677.
Bug fixes:
Add note to documentation that spaces can be escaped in
xmode.Add support for empty sub-expressions, including empty alternations.
Fix match bug caused by an empty sub-expression miscompilation.
v1.3.7Compare Source
==================
This release contains a small bug fix that fixes how
regexforwards cratefeatures to
regex-syntax. In particular, this will reduce recompilations insome cases.
Bug fixes:
Fix feature forwarding to
regex-syntax.v1.3.6Compare Source
==================
This release contains a sizable (~30%) performance improvement when compiling
some kinds of large regular expressions.
Performance improvements:
Improvement performance of compiling large regular expressions.
v1.3.5Compare Source
==================
This release updates this crate to Unicode 13.
New features:
Update
regex-syntaxto Unicode 13.v1.3.4Compare Source
==================
This is a small bug fix release that fixes a bug related to the scoping of
flags in a regex. Namely, before this fix, a regex like
((?i)a)b)wouldmatch
aBdespite the fact thatbshould not be matched case insensitively.Bug fixes:
Fix bug related to the scoping of flags in a regex.
v1.3.3Compare Source
==================
This is a small maintenance release that upgrades the dependency on
thread_localfrom0.3to1.0. The minimum supported Rust version remainsat Rust 1.28.
v1.3.2Compare Source
==================
This is a small maintenance release with some house cleaning and bug fixes.
New features:
Add a
Match::rangemethod an aFrom<Match> for Rangeimpl.Bug fixes:
Corrects
/-/.splitn("a", 2)to return["a"]instead of["a", ""].Improve error reporting when writing
\p\.Corrects
/-/.split("a-")to return["a", ""]instead of["a"].Squash deprecation warnings for the
std::error::Error::descriptionmethod.v1.3.1Compare Source
==================
This is a maintenance release with no changes in order to try to work-around
a docs.rs/Cargo issue.
v1.3.0Compare Source
==================
This release adds a plethora of new crate features that permit users of regex
to shrink its size considerably, in exchange for giving up either functionality
(such as Unicode support) or runtime performance. When all such features are
disabled, the dependency tree for
regexshrinks to exactly 1 crate(
regex-syntax). More information about the new crate features can befound in the docs.
Note that while this is a new minor version release, the minimum supported
Rust version for this crate remains at
1.28.0.New features:
The
use_stdfeature has been deprecated in favor of thestdfeature.The
use_stdfeature will be removed in regex 2. Until then,use_stdwillremain as an alias for the
stdfeature.Add a substantial number of crate features shrinking
regex.v1.2.1Compare Source
==================
This release does a bit of house cleaning. Namely:
Rust project.
regexcrate, and is now part of theaho-corasickcrate.See
aho-corasick's newpackedsub-module for details.utf8-rangescrate has been deprecated, with its functionality movinginto the
utf8sub-module ofregex-syntax.ucd-utildependency has been dropped, in favor of implementing whatlittle we need inside of
regex-syntaxitself.In general, this is part of an ongoing (long term) effort to make optimizations
in the regex engine easier to reason about. The current code is too convoluted
and thus it is very easy to introduce new bugs. This simplification effort is
the primary motivation behind re-working the
aho-corasickcrate to not onlybundle algorithms like Teddy, but to also provide regex-like match semantics
automatically.
Moving forward, the plan is to join up with the
bstrandregex-automatacrates, with the former providing more sophisticated substring search
algorithms (thereby deleting existing code in
regex) and the latter providingahead-of-time compiled DFAs for cases where they are inexpensive to compute.
v1.2.0Compare Source
==================
This release updates regex's minimum supported Rust version to 1.28, which was
release almost 1 year ago. This release also updates regex's Unicode data
tables to 12.1.0.
v1.1.9Compare Source
==================
This release contains a bug fix that caused regex's tests to fail, due to a
dependency on an unreleased behavior in regex-syntax.
Move an integration-style test on error messages into regex-syntax.
v1.1.8Compare Source
==================
This release contains a few small internal refactorings. One of which fixes
an instance of undefined behavior in a part of the SIMD code.
Bug fixes:
Improves error messages when a repetition operator is used without a number.
Removes use of a repr(Rust) union used for type punning in the Teddy matcher.
Update docs for running benchmarks and improve failure modes.
v1.1.7Compare Source
==================
This release fixes up a few warnings as a result of recent deprecations.
v1.1.6Compare Source
==================
This release fixes a regression introduced by a bug fix (for
BUG #557) which could cause
the regex engine to enter an infinite loop. This bug was originally
reported against ripgrep.
v1.1.5Compare Source
==================
This release fixes a bug in regex's dependency specification where it requires
a newer version of regex-syntax, but this wasn't communicated correctly in the
Cargo.toml. This would have been caught by a minimal version check, but this
check was disabled because the
randcrate itself advertises incorrectdependency specifications.
Bug fixes:
Fix regex-syntax minimal version.
v1.1.4Compare Source
==================
This release fixes a backwards compatibility regression where Regex was no
longer UnwindSafe. This was caused by the upgrade to aho-corasick 0.7, whose
AhoCorasick type was itself not UnwindSafe. This has been fixed in aho-corasick
0.7.4, which we now require.
Bug fixes:
Fix an API regression where Regex was no longer UnwindSafe.
v1.1.3Compare Source
==================
This releases fixes a few bugs and adds a performance improvement when a regex
is a simple alternation of literals.
Performance improvements:
Upgrades
aho-corasickto 0.7 and uses it forfoo|bar|...|quuxregexes.Bug fixes:
Fix a bug where the parser would panic on patterns like
((?x)).Fix a bug where the parser would panic on patterns like
(?m){1,1}.Fix a bug where captures could lead to an incorrect match.
v1.1.2Compare Source
==================
This release fixes a bug found in the fix introduced in 1.1.1.
Bug fixes:
Fix bug introduced in reverse suffix literal matcher in the 1.1.1 release.
v1.1.1Compare Source
==================
This is a small release with one fix for a bug caused by literal optimizations.
Bug fixes:
Fixes a bug in the reverse suffix literal optimization. This was originally
reported
against ripgrep.
v1.1.0Compare Source
==================
This is a small release with a couple small enhancements. This release also
increases the minimal supported Rust version (MSRV) to 1.24.1 (from 1.20.0). In
accordance with this crate's MSRV policy, this release bumps the minor version
number.
Performance improvements:
OPT #540:
Improve lazy DFA construction for large regex sets.
New features:
Add Emoji and "break" Unicode properties. See UNICODE.md.
Bug fixes:
Add Unicode license (for data tables).
v1.0.6Compare Source
==================
This is a small release.
Performance improvements:
Improve performance of compiling large Unicode classes by 8-10%.
Bug fixes:
Fix definition of
[[:blank:]]class that regressed inregex-syntax 0.5.v1.0.5Compare Source
==================
This is a small release with an API enhancement.
New features:
Generalize impls of the
Replacertrait.v1.0.4Compare Source
==================
This is a small release that bumps the quickcheck dependency.
v1.0.3Compare Source
==================
This is a small bug fix release.
Bug fixes:
Fix for Cargo's "minimal version" support.
Fix doc examples for byte regexes.
v1.0.2Compare Source
==================
This release exposes some new lower level APIs on
Regexthat permitamortizing allocation and controlling the location at which a search is
performed in a more granular way. Most users of the regex crate will not
need or want to use these APIs.
New features:
Add a few lower level APIs for amortizing allocation and more fine grained
searching.
Bug fixes:
Correct outdated documentation on
RegexBuilder::dot_matches_new_line.Correct outdated documentation on
Parser::allow_invalid_utf8in theregex-syntaxcrate.Fix a bug in the HIR printer where it wouldn't correctly escape meta
characters in character classes.
v1.0.1Compare Source
==================
This release upgrades regex's Unicode tables to Unicode 11, and enables SIMD
optimizations automatically on Rust stable (1.27 or newer).
New features:
Implement
size_hintonRegexSetmatch iterators.Update Unicode tables for Unicode 11.
SIMD optimizations are now enabled automatically in Rust stable, for versions
1.27 and up. No compilation flags or features need to be set. CPU support
SIMD is detected automatically at runtime.
Bug fixes:
Present a better compilation error when the
use_stdfeature isn't used.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.