Summary: | <dev-lang/rust{-bin,}-1.52.0: multiple vulnerabilities (CVE-2021-{28875,28876,28877,28878,28879,31162,36317,36318}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gyakovlev, herrtimson, rust |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa+] | ||
Package list: |
dev-lang/rust-1.51.0-r2
dev-lang/rust-bin-1.51.0
virtual/rust-1.51.0
|
Runtime testing required: | --- |
Description
John Helmert III
2021-04-11 22:51:20 UTC
CVE-2021-31162: In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65b9e4c1a1c3a2de55637c7977584c5827b66366 commit 65b9e4c1a1c3a2de55637c7977584c5827b66366 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-18 01:23:09 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-18 01:23:24 +0000 dev-lang/rust: security revbump of 1.51.0 Fixes for: CVE-2020-36323 CVE-2021-28876 CVE-2021-31162 Bug: https://bugs.gentoo.org/782799 Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/files/1.51.0-CVE-2020-36323.patch | 175 +++++++ dev-lang/rust/files/1.51.0-CVE-2021-28876.patch | 39 ++ dev-lang/rust/files/1.51.0-CVE-2021-28878.patch | 112 +++++ dev-lang/rust/files/1.51.0-CVE-2021-28879.patch | 84 ++++ dev-lang/rust/files/1.51.0-CVE-2021-31162.patch | 195 ++++++++ dev-lang/rust/rust-1.51.0-r1.ebuild | 622 ++++++++++++++++++++++++ 6 files changed, 1227 insertions(+) I'll focus on 1.51.0 and will avoid older versions. fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply cleanly and need porting/rebasing. will do later. (In reply to Georgy Yakovlev from comment #3) > I'll focus on 1.51.0 and will avoid older versions. > > fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply > cleanly and need porting/rebasing. will do later. but haven't you added patches refering to those two CVE in the last commit? In any case, you can pull in nicely rebased patches from fedora. (In reply to tt_1 from comment #4) > (In reply to Georgy Yakovlev from comment #3) > > I'll focus on 1.51.0 and will avoid older versions. > > > > fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply > > cleanly and need porting/rebasing. will do later. > > but haven't you added patches refering to those two CVE in the last commit? > In any case, you can pull in nicely rebased patches from fedora. I did, but those are unused intentionally, just left them in the files/ to rebase later. thanks, will check fedora's patches. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9982cad131a4c026810796850ccb60243ff9406 commit c9982cad131a4c026810796850ccb60243ff9406 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-18 10:28:48 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-18 10:29:23 +0000 dev-lang/rust: security revbump with 2 more patches switched to fedora's rebased patches Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> ...3.patch => rustc-1.51.0-backport-pr81728.patch} | 26 ++++--- ...6.patch => rustc-1.51.0-backport-pr81741.patch} | 11 ++- ...9.patch => rustc-1.51.0-backport-pr82289.patch} | 32 +++++--- ...8.patch => rustc-1.51.0-backport-pr82292.patch} | 36 +++++---- ...2.patch => rustc-1.51.0-backport-pr83629.patch} | 89 +++++----------------- ...rust-1.51.0-r1.ebuild => rust-1.51.0-r2.ebuild} | 10 +-- 6 files changed, 91 insertions(+), 113 deletions(-) idk what to do with rust-bin btw, as it can't be patched =) we can try to fast-track new release one it out and if it contains patches. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45 commit 78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-18 11:24:31 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-18 11:26:25 +0000 dev-lang/rust: drop rust-1.51.0 Bug: https://bugs.gentoo.org/782367 Bug: https://bugs.gentoo.org/782799 Closes: https://bugs.gentoo.org/783468 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/rust-1.51.0.ebuild | 617 --------------------------------------- 1 file changed, 617 deletions(-) amd64 done amd64 done x86 done ppc64 done arm64 done arm done all arches done cleanup of all old versions done. rust-bin-1.51.0 is still vulnerable rust-1.51.0-r2 is not The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bce433a93aac36134e9826557e90c328077a34f2 commit bce433a93aac36134e9826557e90c328077a34f2 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-27 18:28:13 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-27 18:28:28 +0000 dev-java/openjdk-jre-bin: drop old 11 Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 2 - .../openjdk-jre-bin-11.0.10_p9.ebuild | 97 ---------------------- .../openjdk-jre-bin-11.0.9_p11.ebuild | 97 ---------------------- 3 files changed, 196 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a56dd109509399af44cec59a2158136f95d359b commit 1a56dd109509399af44cec59a2158136f95d359b Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-27 18:27:30 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-27 18:28:28 +0000 dev-java/openjdk: drop old 11 Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk/Manifest | 2 - dev-java/openjdk/openjdk-11.0.10_p9.ebuild | 272 ----------------------------- dev-java/openjdk/openjdk-11.0.9_p11.ebuild | 272 ----------------------------- 3 files changed, 546 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c75e137e7d8f5a747f27d597df6c9a356a20ea3f commit c75e137e7d8f5a747f27d597df6c9a356a20ea3f Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-27 18:26:28 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-27 18:28:27 +0000 dev-java/openjdk-bin: drop old 11.x Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-bin/Manifest | 9 -- dev-java/openjdk-bin/openjdk-bin-11.0.10_p9.ebuild | 132 --------------------- dev-java/openjdk-bin/openjdk-bin-11.0.9_p11.ebuild | 111 ----------------- 3 files changed, 252 deletions(-) ^ oops, wrong bug, sorry for spam and sorry for more spam. Unable to check for sanity:
> no match for package: dev-lang/rust-1.51.0-r2
cleanup done GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=cda5f646cd9bc370223b79be59deee389a0caeef commit cda5f646cd9bc370223b79be59deee389a0caeef Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:43:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:45:25 +0000 [ GLSA 202210-09 ] Rust: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/782367 Bug: https://bugs.gentoo.org/807052 Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/831638 Bug: https://bugs.gentoo.org/870166 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-09.xml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) GLSA released, all done! |