The unsafe-libyaml crate prior to version 0.2.10 had an alignment write issue on non-64 bit platforms, leading to undefined behavior. I see non-fixed versions of this crate referenced in a few packages in the gentoo tree: ❯ grep -R unsafe-libyaml | grep -v "Manifest\|0\.2\.10\|metadata/md5" app-crypt/sequoia-sq/sequoia-sq-0.31.0-r1.ebuild: unsafe-libyaml@0.2.8 app-misc/jf/jf-0.6.2-r1.ebuild: unsafe-libyaml@0.2.8 app-misc/rpick/rpick-0.8.12.ebuild: unsafe-libyaml-0.2.4 app-misc/rpick/rpick-0.9.0.ebuild: unsafe-libyaml-0.2.9 app-shells/nushell/nushell-0.85.0.ebuild: unsafe-libyaml@0.2.8 app-shells/nushell/nushell-0.88.1.ebuild: unsafe-libyaml@0.2.9 net-dns/pdns-recursor/pdns-recursor-5.0.1.ebuild: unsafe-libyaml@0.2.9 sys-apps/bat/bat-0.24.0.ebuild: unsafe-libyaml@0.2.9 sys-power/wluma/wluma-4.3.0-r1.ebuild: unsafe-libyaml@0.2.5 x11-terms/wezterm/wezterm-20230408.112425.ebuild: unsafe-libyaml-0.2.7 x11-terms/wezterm/wezterm-20230712.072601.ebuild: unsafe-libyaml@0.2.8 I have not investigated whether the way these packages use the crate makes them vulnerable, nor whether all of these packages have keywords for non-64 bit platforms. Reproducible: Always
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8669fa28f8061c98753da87e905d86d47f981e2 commit e8669fa28f8061c98753da87e905d86d47f981e2 Author: Randy Barlow <randy@electronsweatshop.com> AuthorDate: 2024-01-21 02:46:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-21 03:57:58 +0000 app-misc/rpick: Add 0.9.1 This addresses two security issues in dependencies, though it is not known whether rpick is vulnerable to the issues: * RUSTSEC-2023-0075: Update unsafe-libyaml to 0.2.10 - https://github.com/bowlofeggs/rpick/pull/353 - https://rustsec.org/advisories/RUSTSEC-2023-0075.html * GHSA-c827-hfw6-qwvm: Update rustix to 0.38.30 - https://github.com/bowlofeggs/rpick/pull/359 - https://github.com/advisories/GHSA-c827-hfw6-qwvm Bug: https://bugs.gentoo.org/922588 Bug: https://bugs.gentoo.org/922589 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/34929 Signed-off-by: Sam James <sam@gentoo.org> app-misc/rpick/Manifest | 66 ++++++++++++++++++ app-misc/rpick/rpick-0.9.1.ebuild | 139 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 205 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6068510a96e1a9d6656d31f3a61e2b0adc4c15f0 commit 6068510a96e1a9d6656d31f3a61e2b0adc4c15f0 Author: Randy Barlow <randy@electronsweatshop.com> AuthorDate: 2024-02-05 23:21:26 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-06 03:40:27 +0000 app-misc/rpick: Drop 0.9.0 Bug: https://bugs.gentoo.org/922588 Bug: https://bugs.gentoo.org/922589 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/35198 Signed-off-by: Sam James <sam@gentoo.org> app-misc/rpick/Manifest | 73 ------------------- app-misc/rpick/rpick-0.9.0.ebuild | 146 -------------------------------------- 2 files changed, 219 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7bce99fa59aa3b880bea298ffb55514386c42a8 commit f7bce99fa59aa3b880bea298ffb55514386c42a8 Author: Randy Barlow <randy@electronsweatshop.com> AuthorDate: 2024-02-05 23:19:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-06 03:40:27 +0000 app-misc/rpick: Drop 0.8.12 Bug: https://bugs.gentoo.org/922588 Bug: https://bugs.gentoo.org/922589 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Signed-off-by: Sam James <sam@gentoo.org> app-misc/rpick/Manifest | 59 ----------------- app-misc/rpick/rpick-0.8.12.ebuild | 125 ------------------------------------- 2 files changed, 184 deletions(-)