Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685970 - =dev-lang/rust-1.34.{0,1}: CVE-2019-12083 If the `Error::type_id` method is overridden then any type can be safely cast to any other type, causing memory safety vulnerabilities
Summary: =dev-lang/rust-1.34.{0,1}: CVE-2019-12083 If the `Error::type_id` method is ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-14 17:59 UTC by Georgy Yakovlev
Modified: 2019-05-17 03:18 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/rust-1.34.2 dev-lang/rust-bin-1.34.2 virtual/rust-1.34.2 virtual/cargo-1.34.2
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Georgy Yakovlev archtester gentoo-dev 2019-05-14 17:59:47 UTC 
The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. If the `Error::type_id` method is overridden then any type can be safely cast to any other type, causing memory safety vulnerabilities in safe code (e.g., out-of-bounds write or read). Code that does not manually implement Error::type_id is unaffected.



Reproducible: Always
Comment 1 Georgy Yakovlev archtester gentoo-dev 2019-05-14 18:01:53 UTC 
changeset is tiny, we should fast-stable it, preparing bumps.
https://github.com/rust-lang/rust/compare/1.34.1...1.34.2
Comment 2 Larry the Git Cow gentoo-dev 2019-05-14 18:19:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d02d88f7b18fac92b8e9188c04577efcc202fd35

commit d02d88f7b18fac92b8e9188c04577efcc202fd35
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-14 17:55:32 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-14 18:19:23 +0000

    virtual/cargo: bump to 1.34.2
    
    Bug: https://bugs.gentoo.org/685970
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 virtual/cargo/cargo-1.34.2.ebuild | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64716a9c2f8acdea15b44377ffd9828e4d0320d4

commit 64716a9c2f8acdea15b44377ffd9828e4d0320d4
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-14 17:54:50 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-14 18:19:22 +0000

    virtual/rust: bump to 1.34.2
    
    Bug: https://bugs.gentoo.org/685970
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 virtual/rust/rust-1.34.2.ebuild | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7eb49e5a05b5832684f17a3a6e61d1588c2e19b8

commit 7eb49e5a05b5832684f17a3a6e61d1588c2e19b8
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-14 17:53:27 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-14 18:19:21 +0000

    dev-lang/rust: security bump to 1.34.2
    
    Bug: https://bugs.gentoo.org/685970
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/Manifest           |   1 +
 dev-lang/rust/rust-1.34.2.ebuild | 328 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 329 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa694fd5b0e54da0e24fefac770f2ce696f36ad7

commit aa694fd5b0e54da0e24fefac770f2ce696f36ad7
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-14 17:52:03 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-14 18:19:20 +0000

    dev-lang/rust-bin: security bump to 1.34.2
    
    Bug: https://bugs.gentoo.org/685970
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust-bin/Manifest               |  13 +++
 dev-lang/rust-bin/rust-bin-1.34.2.ebuild | 171 +++++++++++++++++++++++++++++++
 2 files changed, 184 insertions(+)
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-15 14:52:22 UTC 
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-16 23:58:13 UTC 
x86 stable
Comment 5 Larry the Git Cow gentoo-dev 2019-05-17 00:15:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=930bbe80a6e12d45b9e75e722412942be8e72592

commit 930bbe80a6e12d45b9e75e722412942be8e72592
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-17 00:14:20 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-17 00:14:20 +0000

    dev-lang/rust: drop vulnerable
    
    Bug: https://bugs.gentoo.org/685970
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/Manifest              |   2 -
 dev-lang/rust/rust-1.34.0-r2.ebuild | 328 ------------------------------------
 dev-lang/rust/rust-1.34.1.ebuild    | 328 ------------------------------------
 3 files changed, 658 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f1e1780a767315efe548dc84769b31c6aea08e6

commit 9f1e1780a767315efe548dc84769b31c6aea08e6
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-17 00:13:45 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-17 00:13:45 +0000

    dev-lang/rust-bin: drop vulnerable
    
    Bug: https://bugs.gentoo.org/685970
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust-bin/Manifest                  |  26 -----
 dev-lang/rust-bin/rust-bin-1.34.0-r1.ebuild | 160 --------------------------
 dev-lang/rust-bin/rust-bin-1.34.1.ebuild    | 171 ----------------------------
 3 files changed, 357 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d04363c762bbd607fac205da35c61d5f87bdc795

commit d04363c762bbd607fac205da35c61d5f87bdc795
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-17 00:13:02 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-17 00:13:02 +0000

    virtual/cargo: drop vulnerable
    
    Bug: https://bugs.gentoo.org/685970
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 virtual/cargo/cargo-1.34.0.ebuild | 17 -----------------
 virtual/cargo/cargo-1.34.1.ebuild | 17 -----------------
 2 files changed, 34 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b061362542b901bcd075f80d4c861a0f8130468

commit 0b061362542b901bcd075f80d4c861a0f8130468
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-17 00:12:29 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-17 00:12:29 +0000

    virtual/rust: drop vulnerable
    
    Bug: https://bugs.gentoo.org/685970
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 virtual/rust/rust-1.34.0.ebuild | 15 ---------------
 virtual/rust/rust-1.34.1.ebuild | 15 ---------------
 2 files changed, 30 deletions(-)
Comment 6 Georgy Yakovlev archtester gentoo-dev 2019-05-17 00:16:12 UTC 
tree clean of vulnerable versions.
leaving bug open for security