From c188be71e2820a8faa987d10d065e253f9e473e3 Mon Sep 17 00:00:00 2001
From: Evan Richter <evanjrichter@gmail.com>
Date: Sun, 26 Jun 2022 14:42:00 -0500
Subject: [PATCH] rulex advisory for stack overflow (#1271)

---
 crates/rulex/RUSTSEC-0000-0000.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 crates/rulex/RUSTSEC-0000-0000.md

diff --git a/crates/rulex/RUSTSEC-0000-0000.md b/crates/rulex/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..c8d7f67
--- /dev/null
+++ b/crates/rulex/RUSTSEC-0000-0000.md
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rulex"
+date = "2022-05-21"
+url = "https://github.com/rulex-rs/rulex/security/advisories/GHSA-v78m-2q7v-fjqp"
+categories = ["denial-of-service"]
+aliases = ["CVE-2022-31099", "GHSA-v78m-2q7v-fjqp"]
+[versions]
+patched = [">= 0.4.3"]
+```
+
+# Stack overflow during recursive expression parsing
+
+When parsing untrusted rulex expressions, the stack may overflow, possibly
+enabling a Denial of Service attack. This happens when parsing an expression
+with several hundred levels of nesting, causing the process to abort
+immediately.
+
+The flaw was corrected in commits `60aa2dc03a` by adding a check to recursion
+depth.