Various versions of the rustix crate have an issue that can lead to rapid memory consumption. Here is my attempt to identify the ebuilds that use the vulnerable versions of rustix: ❯ grep -R rustix | grep -v "Manifest\|0\.38\.19\|0\.37\.25\|0\.36\.16\|0\.35\.15\|metadata/md5" grep: .git/index: binary file matches .git/COMMIT_EDITMSG:* GHSA-c827-hfw6-qwvm: Update rustix to 0.38.30 app-antivirus/clamav/clamav-1.1.0.ebuild: rustix-0.37.11 app-antivirus/clamav/clamav-1.1.3.ebuild: rustix@0.37.11 app-antivirus/clamav/clamav-1.2.1.ebuild: rustix@0.38.11 app-benchmarks/hyperfine/hyperfine-1.16.1.ebuild: rustix-0.36.9 app-benchmarks/hyperfine/hyperfine-1.18.0.ebuild: rustix@0.38.17 app-containers/aardvark-dns/aardvark-dns-1.8.0.ebuild: rustix@0.38.14 app-containers/netavark/netavark-1.6.0.ebuild: rustix-0.36.9 app-crypt/rpm-sequoia/rpm-sequoia-1.5.0.ebuild: rustix@0.38.10 app-crypt/sequoia-chameleon-gnupg/sequoia-chameleon-gnupg-0.3.2-r3.ebuild: rustix@0.36.5 app-crypt/sequoia-chameleon-gnupg/sequoia-chameleon-gnupg-0.4.0.ebuild: rustix@0.38.28 app-crypt/sequoia-sq/sequoia-sq-0.31.0-r1.ebuild: rustix@0.37.22 app-crypt/sequoia-sq/sequoia-sq-0.32.0.ebuild: rustix@0.38.28 app-crypt/sequoia-sqv/sequoia-sqv-1.1.0-r1.ebuild: rustix-0.37.19 app-crypt/sequoia-sqv/sequoia-sqv-1.1.0-r2.ebuild: rustix@0.37.19 app-editors/helix/helix-23.05.ebuild: rustix-0.37.15 app-editors/helix/helix-23.10-r2.ebuild: rustix@0.38.20 app-emulation/ruffle/ruffle-0_p20231216.ebuild: rustix@0.38.28 app-emulation/ruffle/ruffle-0_p20240117.ebuild: rustix@0.38.30 app-emulation/virtiofsd/virtiofsd-1.5.1-r2.ebuild: rustix-0.36.7 app-emulation/virtiofsd/virtiofsd-1.6.1-r1.ebuild: rustix@0.36.7 app-emulation/virtiofsd/virtiofsd-1.8.0.ebuild: rustix@0.38.7 app-emulation/virtiofsd/virtiofsd-9999.ebuild: rustix@0.36.7 app-i18n/yaskkserv2/yaskkserv2-0.1.7.ebuild: rustix-0.38.13 app-misc/broot/broot-1.29.0.ebuild:rustix@0.38.25 app-misc/broot/broot-1.30.0.ebuild:rustix@0.38.25 app-misc/broot/broot-1.31.0.ebuild:rustix@0.38.25 app-misc/broot/broot-1.32.0.ebuild:rustix@0.38.25 app-misc/rpick/rpick-0.9.0.ebuild: rustix-0.37.23 app-misc/rpick/rpick-0.9.0.ebuild: rustix-0.38.4 app-misc/rpick/rpick-0.9.1.ebuild: rustix@0.38.30 app-misc/zellij/zellij-0.39.0.ebuild: rustix@0.37.7 app-misc/zellij/zellij-0.39.1.ebuild: rustix@0.37.7 app-misc/zellij/zellij-0.39.2.ebuild: rustix@0.37.7 app-shells/atuin/atuin-17.0.0.ebuild: rustix@0.38.20 app-shells/atuin/atuin-17.1.0-r1.ebuild: rustix@0.38.26 app-shells/atuin/atuin-17.2.1.ebuild: rustix@0.38.28 app-shells/nushell/nushell-0.85.0.ebuild: rustix@0.36.15 app-shells/nushell/nushell-0.85.0.ebuild: rustix@0.37.23 app-shells/nushell/nushell-0.85.0.ebuild: rustix@0.38.3 app-shells/nushell/nushell-0.88.1.ebuild: rustix@0.37.27 app-shells/nushell/nushell-0.88.1.ebuild: rustix@0.38.26 app-shells/nushell/nushell-0.89.0.ebuild: rustix@0.38.28 app-shells/starship/starship-1.16.0.ebuild: rustix@0.37.21 app-shells/starship/starship-1.16.0.ebuild: rustix@0.38.4 app-shells/starship/starship-1.15.0.ebuild: rustix-0.37.13 app-text/mdbook/mdbook-0.4.35.ebuild: rustix@0.37.23 app-text/mdbook/mdbook-0.4.35.ebuild: rustix@0.38.4 app-text/mdbook/mdbook-0.4.36.ebuild: rustix@0.38.25 dev-db/influxdb/influxdb-2.7.3.ebuild: rustix@0.37.7 dev-lang/gleam/gleam-0.33.0.ebuild: rustix@0.38.28 22:05:48 [65/3763] dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:Subject: [PATCH] vendor/rustix: sparc has no SIGSTKFLT dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch: vendor/rustix/.cargo-checksum.json | 2 +- dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch: vendor/rustix/src/imp/libc/process/types.rs | 4 ++++ dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch: vendor/rustix/src/imp/linux_raw/process/types.rs | 4 ++-- dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:diff --git a/vendor/rustix/src/imp/libc/process/types.rs b/vendor/rustix/src/imp/libc/process/types.rs dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:--- a/vendor/rustix/src/imp/libc/process/types.rs dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:+++ b/vendor/rustix/src/imp/libc/process/types.rs dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:diff --git a/vendor/rustix/src/imp/linux_raw/process/types.rs b/vendor/rustix/src/imp/linux_raw/process/types.rs dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:--- a/vendor/rustix/src/imp/linux_raw/process/types.rs dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:+++ b/vendor/rustix/src/imp/linux_raw/process/types.rs dev-lang/rust/rust-1.65.0.ebuild: "${FILESDIR}"/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch dev-lang/rust/rust-1.65.0.ebuild: vendor/rustix/.cargo-checksum.json || die dev-lang/rust/rust-1.66.1.ebuild: "${FILESDIR}"/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch dev-lang/rust/rust-1.66.1.ebuild: vendor/rustix/.cargo-checksum.json || die dev-lang/starlark-rust/starlark-rust-0.8.0.ebuild: rustix-0.34.6 dev-util/bindgen/bindgen-0.68.1.ebuild: rustix@0.36.7 dev-util/bindgen/bindgen-0.68.1.ebuild: rustix@0.37.3 dev-util/bingrep/bingrep-0.11.0.ebuild: rustix-0.36.8 dev-util/cargo-audit/cargo-audit-0.17.6.ebuild: rustix@0.37.15 dev-util/cargo-c/cargo-c-0.9.20.ebuild: rustix-0.37.19 dev-util/cargo-c/cargo-c-0.9.28.ebuild: rustix@0.38.9 dev-util/cargo-c/cargo-c-0.9.29.ebuild: rustix@0.38.28 dev-util/cargo-nextest/cargo-nextest-0.9.59.ebuild: rustix@0.37.23 dev-util/cargo-nextest/cargo-nextest-0.9.59.ebuild: rustix@0.38.14 dev-util/cargo-tarpaulin/cargo-tarpaulin-0.27.1.ebuild: rustix@0.36.4 dev-util/difftastic/difftastic-0.54.0.ebuild: rustix@0.37.27 dev-util/git-delta/git-delta-0.16.5.ebuild: rustix@0.36.9 dev-util/maturin/maturin-1.4.0.ebuild: rustix@0.37.27 dev-util/maturin/maturin-1.4.0.ebuild: rustix@0.38.21 dev-util/ruff/ruff-0.1.14.ebuild: rustix@0.38.28 dev-util/sccache/sccache-0.5.4.ebuild: rustix@0.35.13 dev-util/sccache/sccache-0.5.4.ebuild: rustix@0.36.4 dev-util/sccache/sccache-0.5.4.ebuild: rustix@0.37.7 dev-util/selenium-manager/selenium-manager-4.14.0.ebuild: rustix@0.36.11 dev-util/selenium-manager/selenium-manager-4.14.0.ebuild: rustix@0.38.8 dev-util/selenium-manager/selenium-manager-4.15.0.ebuild: rustix@0.36.11 dev-util/selenium-manager/selenium-manager-4.15.0.ebuild: rustix@0.38.8 dev-util/tree-sitter-cli/tree-sitter-cli-0.20.8.ebuild: rustix-0.37.7 dev-vcs/stgit/stgit-2.4.0.ebuild: rustix-0.38.17 dev-vcs/stgit/stgit-2.4.1.ebuild: rustix-0.38.28 dev-vcs/stgit/stgit-2.4.2.ebuild: rustix-0.38.28 games-board/jja/jja-0.7.1.ebuild: rustix@0.37.23 games-board/jja/jja-0.7.1.ebuild: rustix@0.38.4 games-board/jja/jja-0.8.0.ebuild: rustix@0.38.7 games-board/jja/jja-0.8.1.ebuild: rustix@0.38.9 games-board/jja/jja-0.9.0.ebuild: rustix@0.38.11 games-board/jja/jja-9999.ebuild: rustix@0.38.7 gnome-base/librsvg/librsvg-2.56.3.ebuild: rustix-0.38.4 gnome-base/librsvg/librsvg-2.56.4.ebuild: rustix@0.38.4 gnome-base/librsvg/librsvg-2.57.0.ebuild: rustix@0.38.13 media-gfx/oxipng/oxipng-9.0.0.ebuild: rustix@0.37.20 media-sound/ncspot/ncspot-0.13.4.ebuild: rustix@0.37.23 22:05:48 [13/3763] media-sound/ncspot/ncspot-0.13.4.ebuild: rustix@0.38.4 media-sound/ncspot/ncspot-1.0.0.ebuild: rustix@0.37.27 media-sound/ncspot/ncspot-1.0.0.ebuild: rustix@0.38.28 media-sound/rescrobbled/rescrobbled-0.7.1.ebuild: rustix@0.37.23 media-video/rav1e/rav1e-0.6.3.ebuild: rustix-0.36.6 media-video/rav1e/rav1e-0.6.5.ebuild: rustix-0.37.19 media-video/rav1e/rav1e-0.6.6.ebuild: rustix-0.37.19 media-video/rav1e/rav1e-9999.ebuild: rustix-0.37.19 net-analyzer/trippy/trippy-0.9.0.ebuild: rustix@0.38.25 net-misc/hurl/hurl-4.1.0.ebuild: rustix@0.38.14 net-misc/zerotier/zerotier-1.10.6.ebuild: rustix@0.36.8 net-misc/zerotier/zerotier-1.12.2.ebuild: rustix@0.38.8 net-p2p/arti/arti-1.1.11.ebuild: rustix@0.37.27 net-p2p/arti/arti-1.1.11.ebuild: rustix@0.38.26 net-p2p/arti/arti-1.1.12.ebuild: rustix@0.37.27 net-p2p/arti/arti-1.1.12.ebuild: rustix@0.38.28 sci-libs/tokenizers/tokenizers-0.14.1-r1.ebuild: rustix@0.38.13 sci-libs/tokenizers/tokenizers-0.14.1-r1.ebuild: rustix@0.38.24 sys-apps/amdgpu_top/amdgpu_top-0.5.0.ebuild: rustix@0.38.28 sys-apps/bat/bat-0.24.0.ebuild: rustix@0.38.11 sys-apps/bat/bat-0.23.0-r1.ebuild: rustix@0.36.8 sys-apps/eza/eza-0.11.1-r1.ebuild: rustix@0.37.23 sys-apps/eza/eza-0.14.2.ebuild: rustix@0.38.13 sys-apps/eza/eza-0.15.3.ebuild: rustix@0.38.21 sys-apps/eza/eza-0.16.3.ebuild: rustix@0.38.21 sys-apps/eza/eza-0.17.0.ebuild: rustix@0.38.21 sys-apps/eza/eza-0.17.1.ebuild: rustix@0.38.21 sys-apps/fd/fd-8.7.0.ebuild: rustix-0.35.12 sys-apps/fd/fd-8.7.0.ebuild: rustix-0.36.6 sys-apps/lsd/lsd-1.0.0.ebuild:rustix@0.36.7 sys-apps/syd/syd-3.9.13.ebuild: rustix@0.36.17 sys-apps/syd/syd-3.9.13.ebuild: rustix@0.38.28 sys-apps/uutils-coreutils/uutils-coreutils-0.0.23.ebuild: rustix@0.37.26 sys-apps/uutils-coreutils/uutils-coreutils-0.0.23.ebuild: rustix@0.38.21 sys-apps/uutils-coreutils/uutils-coreutils-9999.ebuild: rustix@0.37.26 sys-apps/uutils-coreutils/uutils-coreutils-9999.ebuild: rustix@0.38.21 sys-apps/uutils-findutils/uutils-findutils-0.4.2-r1.ebuild: rustix@0.38.25 sys-apps/uutils-findutils/uutils-findutils-9999.ebuild: rustix@0.37.20 sys-apps/uutils-findutils/uutils-findutils-9999.ebuild: rustix@0.38.4 sys-block/dust/dust-0.8.6.ebuild: rustix-0.37.19 sys-block/thin-provisioning-tools/thin-provisioning-tools-1.0.6.ebuild: rustix@0.38.6 sys-block/thin-provisioning-tools/thin-provisioning-tools-1.0.9.ebuild: rustix@0.38.27 sys-block/thin-provisioning-tools/thin-provisioning-tools-1.0.10.ebuild: rustix@0.38.30 sys-block/thin-provisioning-tools/thin-provisioning-tools-9999.ebuild: rustix@0.38.30 sys-fs/bcachefs-tools/bcachefs-tools-1.3.5_p20231216.ebuild: rustix@0.37.27 sys-fs/bcachefs-tools/bcachefs-tools-1.3.5_p20231216.ebuild: rustix@0.38.25 sys-fs/bcachefs-tools/bcachefs-tools-1.4.0.ebuild: rustix@0.37.27 sys-fs/bcachefs-tools/bcachefs-tools-1.4.0.ebuild: rustix@0.38.25 sys-process/below/below-0.7.0.ebuild: rustix-0.35.12 sys-process/below/below-0.7.0.ebuild: rustix-0.37.11 sys-process/below/below-0.7.1.ebuild: rustix@0.35.12 sys-process/below/below-0.7.1.ebuild: rustix@0.37.11 sys-process/bottom/bottom-0.9.6.ebuild: rustix-0.37.23 sys-process/bottom/bottom-0.9.6.ebuild: rustix-0.38.9 sys-process/procs/procs-0.14.4.ebuild: rustix@0.37.27 sys-process/procs/procs-0.14.4.ebuild: rustix@0.38.21 www-apps/nextcloud-notify_push/nextcloud-notify_push-0.6.6.ebuild:rustix@0.38.7 x11-terms/alacritty/alacritty-0.13.1.ebuild: rustix-openpty@0.1.1 x11-terms/alacritty/alacritty-0.13.1.ebuild: rustix@0.38.25 x11-terms/wezterm/wezterm-20230408.112425.ebuild: rustix-0.36.11 x11-terms/wezterm/wezterm-20230408.112425.ebuild: rustix-0.37.6 x11-terms/wezterm/wezterm-20230712.072601.ebuild: rustix@0.37.23 x11-terms/wezterm/wezterm-20230712.072601.ebuild: rustix@0.38.3 I have not investigated whether these ebuilds use rustix in a way that makes them vulnerable, only whether they use a known vulnerable version of rustix. Reproducible: Always
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8669fa28f8061c98753da87e905d86d47f981e2 commit e8669fa28f8061c98753da87e905d86d47f981e2 Author: Randy Barlow <randy@electronsweatshop.com> AuthorDate: 2024-01-21 02:46:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-21 03:57:58 +0000 app-misc/rpick: Add 0.9.1 This addresses two security issues in dependencies, though it is not known whether rpick is vulnerable to the issues: * RUSTSEC-2023-0075: Update unsafe-libyaml to 0.2.10 - https://github.com/bowlofeggs/rpick/pull/353 - https://rustsec.org/advisories/RUSTSEC-2023-0075.html * GHSA-c827-hfw6-qwvm: Update rustix to 0.38.30 - https://github.com/bowlofeggs/rpick/pull/359 - https://github.com/advisories/GHSA-c827-hfw6-qwvm Bug: https://bugs.gentoo.org/922588 Bug: https://bugs.gentoo.org/922589 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/34929 Signed-off-by: Sam James <sam@gentoo.org> app-misc/rpick/Manifest | 66 ++++++++++++++++++ app-misc/rpick/rpick-0.9.1.ebuild | 139 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 205 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6068510a96e1a9d6656d31f3a61e2b0adc4c15f0 commit 6068510a96e1a9d6656d31f3a61e2b0adc4c15f0 Author: Randy Barlow <randy@electronsweatshop.com> AuthorDate: 2024-02-05 23:21:26 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-06 03:40:27 +0000 app-misc/rpick: Drop 0.9.0 Bug: https://bugs.gentoo.org/922588 Bug: https://bugs.gentoo.org/922589 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/35198 Signed-off-by: Sam James <sam@gentoo.org> app-misc/rpick/Manifest | 73 ------------------- app-misc/rpick/rpick-0.9.0.ebuild | 146 -------------------------------------- 2 files changed, 219 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7bce99fa59aa3b880bea298ffb55514386c42a8 commit f7bce99fa59aa3b880bea298ffb55514386c42a8 Author: Randy Barlow <randy@electronsweatshop.com> AuthorDate: 2024-02-05 23:19:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-06 03:40:27 +0000 app-misc/rpick: Drop 0.8.12 Bug: https://bugs.gentoo.org/922588 Bug: https://bugs.gentoo.org/922589 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Signed-off-by: Sam James <sam@gentoo.org> app-misc/rpick/Manifest | 59 ----------------- app-misc/rpick/rpick-0.8.12.ebuild | 125 ------------------------------------- 2 files changed, 184 deletions(-)
