rulex advisory for stack overflow (#1271)

2026-01-05 03:00:34 +01:00 · 2022-06-26 14:42:00 -05:00
parent 7381319981
commit c188be71e2
1 changed files with 21 additions and 0 deletions
--- a/crates/rulex/RUSTSEC-0000-0000.md
+++ b/crates/rulex/RUSTSEC-0000-0000.md
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rulex"
+date = "2022-05-21"
+url = "https://github.com/rulex-rs/rulex/security/advisories/GHSA-v78m-2q7v-fjqp"
+categories = ["denial-of-service"]
+aliases = ["CVE-2022-31099", "GHSA-v78m-2q7v-fjqp"]
+[versions]
+patched = [">= 0.4.3"]
+```
+
+# Stack overflow during recursive expression parsing
+
+When parsing untrusted rulex expressions, the stack may overflow, possibly
+enabling a Denial of Service attack. This happens when parsing an expression
+with several hundred levels of nesting, causing the process to abort
+immediately.
+
+The flaw was corrected in commits `60aa2dc03a` by adding a check to recursion
+depth.