Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 666976 - <dev-lang/rust{,-bin}-1.29.0: out of bounds write
Summary: <dev-lang/rust{,-bin}-1.29.0: out of bounds write
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-24 12:05 UTC by Dirkjan Ochtman (RETIRED)
Modified: 2019-08-12 23:46 UTC (History)
3 users (show)

See Also:
Package list:
=dev-lang/rust-1.29.1 =dev-lang/rust-bin-1.29.1 =dev-util/cargo-0.30.0 =virtual/cargo-1.29.1 =virtual/rust-1.29.1 =sys-devel/binutils-2.30-r4 =sys-libs/binutils-libs-2.30-r4
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirkjan Ochtman (RETIRED) gentoo-dev 2018-09-24 12:05:58 UTC 
From https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0

# Security advisory for the Rust standard library - 2018-09-21

The Rust team was recently notified of a security vulnerability affecting
the `str::repeat` function in the standard library. If your code does not
use this function, it is not affected.

We are applying for a CVE for this vulnerability, but since there is no
embargo, we have not filed for one yet. Once a CVE is assigned, we'll make a
second post to make mention of the CVE number.

## Overview

This vulnerability is an instance of CWE-680: Integer Overflow to Buffer
Overflow[1].

The `str::repeat` function in the standard library allows repeating a
string a fixed number of times, returning an owned version of the final
string. The capacity of the final string is calculated by multiplying
the length of the string being repeated by the number of copies. This
calculation can overflow, and this case was not properly checked for.

The rest of the implementation of `str::repeat` contains unsafe code
that relies on a preallocated vector having the capacity calculated
earlier. On integer overflow the capacity will be less than required,
and which then writes outside of the allocated buffer, leading to
buffer overflow.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-09-24 12:07:59 UTC 
1.29.1 is slated to be released tomorrow.
Comment 2 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-09-29 13:28:16 UTC 
I think this is ready. Please review and test.
Comment 3 Stabilization helper bot gentoo-dev 2018-09-29 14:00:24 UTC 
An automated check of this bug failed - the following atom is unknown:

sys-devel/binutils-libs-2.30-r4

Please verify the atom list.
Comment 4 Stabilization helper bot gentoo-dev 2018-09-29 19:02:15 UTC 
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 5 Mart Raudsepp gentoo-dev 2018-09-30 21:02:18 UTC 
I don't see any ACKs about binutils revbump being fine to stable by their maintainers. I assume they are, BUT only 3 arches are CCed, meaning that binutils{,-libs} will lag behind on other arches once this bug is done.
As such I'm also hesitant to do them for arm64, plus we don't have rust stable, so not sure why we CCed in the first place (besides for binutils, but for that many other arches should be CCed as well)...
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-01 00:11:52 UTC 
x86 stable
Comment 7 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-10-01 07:37:08 UTC 
Toolchain folks, do you agree with the stabilization of the newer binutils{,-libs}? Do you want to handle that here or in a separate bug?
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-01 23:05:34 UTC 
(In reply to Dirkjan Ochtman from comment #7)
> Toolchain folks, do you agree with the stabilization of the newer
> binutils{,-libs}? Do you want to handle that here or in a separate bug?

Same bug should be ok. Thanks for pulling those in!
Comment 9 Mart Raudsepp gentoo-dev 2018-10-03 10:17:10 UTC 
as-is the other arches will have lagging stable for binutils stuff now when handled here without all arches CCed, coupled with arch specifications in package list.
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-03 13:49:29 UTC 
Once this security stabilization is handled we will create a dedicated bug for the remaining architectures.
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-04 08:00:19 UTC 
amd64 stable
Comment 12 Larry the Git Cow gentoo-dev 2018-10-05 13:11:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3aba8ca44bf9f3cdb6f44202206ed9fac08d6b9

commit d3aba8ca44bf9f3cdb6f44202206ed9fac08d6b9
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2018-10-05 13:09:59 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2018-10-05 13:10:59 +0000

    dev-lang/rust-bin: remove old, vulnerable versions of rust
    
    Bug: https://bugs.gentoo.org/666976
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=662904
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-lang/rust-bin/Manifest                  |  11 --
 dev-lang/rust-bin/rust-bin-1.25.0.ebuild    | 122 ---------------------
 dev-lang/rust-bin/rust-bin-1.28.0-r1.ebuild | 163 ----------------------------
 3 files changed, 296 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5bbd64bd5a9b84a1a33a9bbcf7b725d26d947a50

commit 5bbd64bd5a9b84a1a33a9bbcf7b725d26d947a50
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2018-10-05 13:08:58 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2018-10-05 13:10:58 +0000

    dev-lang/rust: remove old, vulnerable versions of rust
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=666976
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=662904
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-lang/rust/Manifest              |   8 --
 dev-lang/rust/metadata.xml          |   2 -
 dev-lang/rust/rust-1.25.0.ebuild    | 172 ----------------------
 dev-lang/rust/rust-1.28.0-r1.ebuild | 276 ------------------------------------
 dev-lang/rust/rust-1.28.0.ebuild    | 268 ----------------------------------
 5 files changed, 726 deletions(-)
Comment 13 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-10-05 13:11:37 UTC 
Vulnerable versions removed.