Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 922588 - RUSTSEC-2023-0075: unsafe-libyaml: Unaligned write of u64 on 32-bit and 16-bit platforms
Summary: RUSTSEC-2023-0075: unsafe-libyaml: Unaligned write of u64 on 32-bit and 16-bi...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://rustsec.org/advisories/RUSTSE...
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2024-01-21 02:59 UTC by Randy Barlow
Modified: 2024-02-06 03:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Randy Barlow 2024-01-21 02:59:17 UTC
The unsafe-libyaml crate prior to version 0.2.10 had an alignment write issue on non-64 bit platforms, leading to undefined behavior.

I see non-fixed versions of this crate referenced in a few packages in the gentoo tree:

❯ grep -R unsafe-libyaml | grep -v "Manifest\|0\.2\.10\|metadata/md5"
app-crypt/sequoia-sq/sequoia-sq-0.31.0-r1.ebuild:       unsafe-libyaml@0.2.8
app-misc/jf/jf-0.6.2-r1.ebuild: unsafe-libyaml@0.2.8
app-misc/rpick/rpick-0.8.12.ebuild:     unsafe-libyaml-0.2.4
app-misc/rpick/rpick-0.9.0.ebuild:      unsafe-libyaml-0.2.9
app-shells/nushell/nushell-0.85.0.ebuild:       unsafe-libyaml@0.2.8
app-shells/nushell/nushell-0.88.1.ebuild:       unsafe-libyaml@0.2.9
net-dns/pdns-recursor/pdns-recursor-5.0.1.ebuild:       unsafe-libyaml@0.2.9
sys-apps/bat/bat-0.24.0.ebuild: unsafe-libyaml@0.2.9
sys-power/wluma/wluma-4.3.0-r1.ebuild:  unsafe-libyaml@0.2.5
x11-terms/wezterm/wezterm-20230408.112425.ebuild:       unsafe-libyaml-0.2.7
x11-terms/wezterm/wezterm-20230712.072601.ebuild:       unsafe-libyaml@0.2.8

I have not investigated whether the way these packages use the crate makes them vulnerable, nor whether all of these packages have keywords for non-64 bit platforms.

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2024-01-21 04:02:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8669fa28f8061c98753da87e905d86d47f981e2

commit e8669fa28f8061c98753da87e905d86d47f981e2
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-01-21 02:46:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-21 03:57:58 +0000

    app-misc/rpick: Add 0.9.1
    
    This addresses two security issues in dependencies, though it is not
    known whether rpick is vulnerable to the issues:
    
    * RUSTSEC-2023-0075: Update unsafe-libyaml to 0.2.10
      - https://github.com/bowlofeggs/rpick/pull/353
      - https://rustsec.org/advisories/RUSTSEC-2023-0075.html
    * GHSA-c827-hfw6-qwvm: Update rustix to 0.38.30
      - https://github.com/bowlofeggs/rpick/pull/359
      - https://github.com/advisories/GHSA-c827-hfw6-qwvm
    
    Bug: https://bugs.gentoo.org/922588
    Bug: https://bugs.gentoo.org/922589
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Closes: https://github.com/gentoo/gentoo/pull/34929
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/rpick/Manifest           |  66 ++++++++++++++++++
 app-misc/rpick/rpick-0.9.1.ebuild | 139 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 205 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-02-06 03:41:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6068510a96e1a9d6656d31f3a61e2b0adc4c15f0

commit 6068510a96e1a9d6656d31f3a61e2b0adc4c15f0
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-02-05 23:21:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-02-06 03:40:27 +0000

    app-misc/rpick: Drop 0.9.0
    
    Bug: https://bugs.gentoo.org/922588
    Bug: https://bugs.gentoo.org/922589
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Closes: https://github.com/gentoo/gentoo/pull/35198
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/rpick/Manifest           |  73 -------------------
 app-misc/rpick/rpick-0.9.0.ebuild | 146 --------------------------------------
 2 files changed, 219 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7bce99fa59aa3b880bea298ffb55514386c42a8

commit f7bce99fa59aa3b880bea298ffb55514386c42a8
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-02-05 23:19:56 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-02-06 03:40:27 +0000

    app-misc/rpick: Drop 0.8.12
    
    Bug: https://bugs.gentoo.org/922588
    Bug: https://bugs.gentoo.org/922589
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/rpick/Manifest            |  59 -----------------
 app-misc/rpick/rpick-0.8.12.ebuild | 125 -------------------------------------
 2 files changed, 184 deletions(-)