| tsimonq2 | Hey! | 17:40 |
|---|---|---|
| tsimonq2 | I'm trying to access this page from Firefox nightly and I'm getting a Content Encoding Error: https://ubuntu.com/security/cves | 17:40 |
| tsimonq2 | Where's the best place to report this? | 17:41 |
| sdeziel | tsimonq2: works for me ATM, maybe it was transient? | 19:34 |
| tsimonq2 | sdeziel: Can confirm. Thanks for listening. :) | 19:34 |
| sdeziel | np | 19:35 |
| ItzSwirlz | o/ sorry, but can someone take a look at LP #1977694? | 19:39 |
| ubottu | Launchpad bug 1977694 in rust-regex (Ubuntu) "[CVE-2022-24713] Denial of service in compiler with rust-regex" [Undecided, In Progress] https://launchpad.net/bugs/1977694 | 19:39 |
| ItzSwirlz | the cve tracker also claims jammy is vulnerable but its not if you check the changelog | 19:40 |
| tsimonq2 | ItzSwirlz: It's been a while since I've done Universe security updates but I believe it isn't SRU'ed, it's direct-pushed. Do you have testing results? | 19:40 |
| tsimonq2 | ItzSwirlz: Ah, I see there's a test in the patch. Have you done any verification thus far? | 19:41 |
| tsimonq2 | Otherwise besides some changelog formatting it seems okay. | 19:42 |
| tsimonq2 | Also, I'll add the serieses on there for you. I don't know if you have access. :) | 19:43 |
| ItzSwirlz | tsimonq2: Crates now actually force pushes latest version of regex | 19:57 |
| ItzSwirlz | I tried to make a POC (See my github repo) but results were lame. I tried redirecting it to old regex but i need to test it a bit more to find the bug but now its fine. On my local laptop no DoS. | 19:57 |
| ItzSwirlz | What's the changelog issue + did it not get added to d/patches/series? It's at the bottom of the debdiff | 19:58 |
| ItzSwirlz | If it is an external service that requires access of course I do not have it. I haven't even applied officially for PPU (Though I plan to this summer) | 19:58 |
| ItzSwirlz | tsimonq2: wait im big dumb | 20:00 |
| ItzSwirlz | Kinetic is patched. Jammy isn't. https://launchpad.net/ubuntu/+source/rust-regex sorry for the confusion | 20:00 |
| tsimonq2 | hi big dumb I'm dad | 20:00 |
| tsimonq2 | <ItzSwirlz> "What's the changelog issue + did..." <- Just minor formatting, see other security update changelogs for ref | 20:04 |
| ItzSwirlz | oh i see, with the -'s | 20:06 |
| tsimonq2 | yeah you catch my drift :) | 20:07 |
| tsimonq2 | I'm sure that the Ubuntu Security Team is better at reviewing this but it seems okay from first look | 20:07 |
| ItzSwirlz | ill also create a focal patch. idrc about impish as its EOL shortly | 20:08 |
| tsimonq2 | It's a Universe package, I doubt that would be required (re: impish) | 20:14 |
| ItzSwirlz | do you guys care about the comments or not | 20:17 |
| tsimonq2 | In where? | 20:17 |
| ItzSwirlz | in the commit/patch specifically | 20:18 |
| ItzSwirlz | without comments (or the testusuite but I think that should be kept) the commit would be 1/2 the size | 20:18 |
| ItzSwirlz | https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e | 20:18 |
| ubottu | Commit ae70b41 in rust-lang/regex "security: fix denial-of-service bug in compiler" | 20:18 |
| tsimonq2 | I wouldn't say that more documentation is a bad idea but the Ubuntu Security Team would know for sure. | 20:21 |
| tsimonq2 | Thanks for formatting it with DEP-3. | 20:22 |
| ItzSwirlz | np | 20:28 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!