OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-13 21:18:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
36df8a4efc6f2da4ccc7ced0d431136f473b2001
advisory-db/crates/rulex/RUSTSEC-2022-0031.md
github-actions[bot] b4ed922847 Assigned RUSTSEC-2022-0031 to rulex (#1274) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
2022-06-26 22:01:26 +02:00

800 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2022-0031"
package = "rulex"
date = "2022-05-21"
url = "https://github.com/rulex-rs/rulex/security/advisories/GHSA-8v9w-p43c-r885"
categories = ["denial-of-service"]
aliases = ["CVE-2022-31100", "GHSA-8v9w-p43c-r885"]
[versions]
patched = [">= 0.4.3"]

Panic due to improper UTF-8 indexing

When parsing untrusted rulex expressions, rulex may panic, possibly enabling a Denial of Service attack. This happens when the expression contains a multi- byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.

The flaw was corrected in commits fac6d58b25 and 330b3534e7 by using len_utf8() to derive character width in bytes instead of assuming ASCII encoding of 1 byte per char.