Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 922589

Summary: GHSA-c827-hfw6-qwvm: rustix: memory explosion leading to potential DOS
Product: Gentoo Security Reporter: Randy Barlow <randy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: UNCONFIRMED ---    
Severity: normal Keywords: PullRequest
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/advisories/GHSA-c827-hfw6-qwvm
See Also: https://github.com/gentoo/gentoo/pull/34929
https://github.com/gentoo/gentoo/pull/35198
Whiteboard:
Package list:
Runtime testing required: ---

Description Randy Barlow 2024-01-21 03:08:16 UTC 
Various versions of the rustix crate have an issue that can lead to rapid memory consumption.

Here is my attempt to identify the ebuilds that use the vulnerable versions of rustix:

❯ grep -R rustix | grep -v "Manifest\|0\.38\.19\|0\.37\.25\|0\.36\.16\|0\.35\.15\|metadata/md5"                        
grep: .git/index: binary file matches                                                                                                                                                                                                         
.git/COMMIT_EDITMSG:* GHSA-c827-hfw6-qwvm: Update rustix to 0.38.30                                                                                                                                                                           
app-antivirus/clamav/clamav-1.1.0.ebuild:       rustix-0.37.11                                                                                                                                                                                
app-antivirus/clamav/clamav-1.1.3.ebuild:       rustix@0.37.11                                                                                                                                                                                
app-antivirus/clamav/clamav-1.2.1.ebuild:               rustix@0.38.11                                                                                                                                                                        
app-benchmarks/hyperfine/hyperfine-1.16.1.ebuild:       rustix-0.36.9                                                                                                                                                                         
app-benchmarks/hyperfine/hyperfine-1.18.0.ebuild:       rustix@0.38.17                                                                                                                                                                        
app-containers/aardvark-dns/aardvark-dns-1.8.0.ebuild:  rustix@0.38.14                                                                                                                                                                        
app-containers/netavark/netavark-1.6.0.ebuild:  rustix-0.36.9                                                                                                                                                                                 
app-crypt/rpm-sequoia/rpm-sequoia-1.5.0.ebuild: rustix@0.38.10                                                                                                                                                                                
app-crypt/sequoia-chameleon-gnupg/sequoia-chameleon-gnupg-0.3.2-r3.ebuild:      rustix@0.36.5          
app-crypt/sequoia-chameleon-gnupg/sequoia-chameleon-gnupg-0.4.0.ebuild: rustix@0.38.28           
app-crypt/sequoia-sq/sequoia-sq-0.31.0-r1.ebuild:       rustix@0.37.22                                 
app-crypt/sequoia-sq/sequoia-sq-0.32.0.ebuild:  rustix@0.38.28                                   
app-crypt/sequoia-sqv/sequoia-sqv-1.1.0-r1.ebuild:      rustix-0.37.19
app-crypt/sequoia-sqv/sequoia-sqv-1.1.0-r2.ebuild:      rustix@0.37.19
app-editors/helix/helix-23.05.ebuild:   rustix-0.37.15
app-editors/helix/helix-23.10-r2.ebuild:        rustix@0.38.20
app-emulation/ruffle/ruffle-0_p20231216.ebuild: rustix@0.38.28
app-emulation/ruffle/ruffle-0_p20240117.ebuild: rustix@0.38.30
app-emulation/virtiofsd/virtiofsd-1.5.1-r2.ebuild:      rustix-0.36.7
app-emulation/virtiofsd/virtiofsd-1.6.1-r1.ebuild:      rustix@0.36.7
app-emulation/virtiofsd/virtiofsd-1.8.0.ebuild: rustix@0.38.7
app-emulation/virtiofsd/virtiofsd-9999.ebuild:  rustix@0.36.7
app-i18n/yaskkserv2/yaskkserv2-0.1.7.ebuild:    rustix-0.38.13
app-misc/broot/broot-1.29.0.ebuild:rustix@0.38.25
app-misc/broot/broot-1.30.0.ebuild:rustix@0.38.25
app-misc/broot/broot-1.31.0.ebuild:rustix@0.38.25
app-misc/broot/broot-1.32.0.ebuild:rustix@0.38.25
app-misc/rpick/rpick-0.9.0.ebuild:      rustix-0.37.23
app-misc/rpick/rpick-0.9.0.ebuild:      rustix-0.38.4
app-misc/rpick/rpick-0.9.1.ebuild:      rustix@0.38.30
app-misc/zellij/zellij-0.39.0.ebuild:   rustix@0.37.7
app-misc/zellij/zellij-0.39.1.ebuild:   rustix@0.37.7
app-misc/zellij/zellij-0.39.2.ebuild:   rustix@0.37.7
app-shells/atuin/atuin-17.0.0.ebuild:   rustix@0.38.20
app-shells/atuin/atuin-17.1.0-r1.ebuild:        rustix@0.38.26
app-shells/atuin/atuin-17.2.1.ebuild:   rustix@0.38.28
app-shells/nushell/nushell-0.85.0.ebuild:       rustix@0.36.15
app-shells/nushell/nushell-0.85.0.ebuild:       rustix@0.37.23
app-shells/nushell/nushell-0.85.0.ebuild:       rustix@0.38.3
app-shells/nushell/nushell-0.88.1.ebuild:       rustix@0.37.27
app-shells/nushell/nushell-0.88.1.ebuild:       rustix@0.38.26
app-shells/nushell/nushell-0.89.0.ebuild:       rustix@0.38.28
app-shells/starship/starship-1.16.0.ebuild:     rustix@0.37.21
app-shells/starship/starship-1.16.0.ebuild:     rustix@0.38.4
app-shells/starship/starship-1.15.0.ebuild:     rustix-0.37.13
app-text/mdbook/mdbook-0.4.35.ebuild:   rustix@0.37.23
app-text/mdbook/mdbook-0.4.35.ebuild:   rustix@0.38.4
app-text/mdbook/mdbook-0.4.36.ebuild:   rustix@0.38.25
dev-db/influxdb/influxdb-2.7.3.ebuild:  rustix@0.37.7
dev-lang/gleam/gleam-0.33.0.ebuild:     rustix@0.38.28                                                                                                                                                                      22:05:48 [65/3763]
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:Subject: [PATCH] vendor/rustix: sparc has no SIGSTKFLT
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch: vendor/rustix/.cargo-checksum.json               | 2 +-
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch: vendor/rustix/src/imp/libc/process/types.rs      | 4 ++++
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch: vendor/rustix/src/imp/linux_raw/process/types.rs | 4 ++--
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:diff --git a/vendor/rustix/src/imp/libc/process/types.rs b/vendor/rustix/src/imp/libc/process/types.rs
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:--- a/vendor/rustix/src/imp/libc/process/types.rs 
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:+++ b/vendor/rustix/src/imp/libc/process/types.rs 
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:diff --git a/vendor/rustix/src/imp/linux_raw/process/types.rs b/vendor/rustix/src/imp/linux_raw/process/types.rs
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:--- a/vendor/rustix/src/imp/linux_raw/process/types.rs
dev-lang/rust/files/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch:+++ b/vendor/rustix/src/imp/linux_raw/process/types.rs
dev-lang/rust/rust-1.65.0.ebuild:       "${FILESDIR}"/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch
dev-lang/rust/rust-1.65.0.ebuild:                       vendor/rustix/.cargo-checksum.json || die
dev-lang/rust/rust-1.66.1.ebuild:       "${FILESDIR}"/1.64.0-vendor-rustix-sparc-has-no-SIGSTKFLT.patch
dev-lang/rust/rust-1.66.1.ebuild:                       vendor/rustix/.cargo-checksum.json || die
dev-lang/starlark-rust/starlark-rust-0.8.0.ebuild:      rustix-0.34.6
dev-util/bindgen/bindgen-0.68.1.ebuild: rustix@0.36.7
dev-util/bindgen/bindgen-0.68.1.ebuild: rustix@0.37.3
dev-util/bingrep/bingrep-0.11.0.ebuild: rustix-0.36.8
dev-util/cargo-audit/cargo-audit-0.17.6.ebuild: rustix@0.37.15
dev-util/cargo-c/cargo-c-0.9.20.ebuild: rustix-0.37.19
dev-util/cargo-c/cargo-c-0.9.28.ebuild: rustix@0.38.9
dev-util/cargo-c/cargo-c-0.9.29.ebuild: rustix@0.38.28
dev-util/cargo-nextest/cargo-nextest-0.9.59.ebuild:     rustix@0.37.23
dev-util/cargo-nextest/cargo-nextest-0.9.59.ebuild:     rustix@0.38.14
dev-util/cargo-tarpaulin/cargo-tarpaulin-0.27.1.ebuild: rustix@0.36.4
dev-util/difftastic/difftastic-0.54.0.ebuild:   rustix@0.37.27
dev-util/git-delta/git-delta-0.16.5.ebuild:     rustix@0.36.9
dev-util/maturin/maturin-1.4.0.ebuild:  rustix@0.37.27
dev-util/maturin/maturin-1.4.0.ebuild:  rustix@0.38.21
dev-util/ruff/ruff-0.1.14.ebuild:       rustix@0.38.28
dev-util/sccache/sccache-0.5.4.ebuild:  rustix@0.35.13
dev-util/sccache/sccache-0.5.4.ebuild:  rustix@0.36.4
dev-util/sccache/sccache-0.5.4.ebuild:  rustix@0.37.7
dev-util/selenium-manager/selenium-manager-4.14.0.ebuild:       rustix@0.36.11
dev-util/selenium-manager/selenium-manager-4.14.0.ebuild:       rustix@0.38.8
dev-util/selenium-manager/selenium-manager-4.15.0.ebuild:       rustix@0.36.11
dev-util/selenium-manager/selenium-manager-4.15.0.ebuild:       rustix@0.38.8
dev-util/tree-sitter-cli/tree-sitter-cli-0.20.8.ebuild: rustix-0.37.7
dev-vcs/stgit/stgit-2.4.0.ebuild:       rustix-0.38.17
dev-vcs/stgit/stgit-2.4.1.ebuild:       rustix-0.38.28
dev-vcs/stgit/stgit-2.4.2.ebuild:       rustix-0.38.28
games-board/jja/jja-0.7.1.ebuild:       rustix@0.37.23
games-board/jja/jja-0.7.1.ebuild:       rustix@0.38.4
games-board/jja/jja-0.8.0.ebuild:       rustix@0.38.7
games-board/jja/jja-0.8.1.ebuild:       rustix@0.38.9
games-board/jja/jja-0.9.0.ebuild:       rustix@0.38.11
games-board/jja/jja-9999.ebuild:        rustix@0.38.7
gnome-base/librsvg/librsvg-2.56.3.ebuild:       rustix-0.38.4
gnome-base/librsvg/librsvg-2.56.4.ebuild:       rustix@0.38.4
gnome-base/librsvg/librsvg-2.57.0.ebuild:       rustix@0.38.13
media-gfx/oxipng/oxipng-9.0.0.ebuild:   rustix@0.37.20
media-sound/ncspot/ncspot-0.13.4.ebuild:        rustix@0.37.23                                                                                                                                                              22:05:48 [13/3763]
media-sound/ncspot/ncspot-0.13.4.ebuild:        rustix@0.38.4
media-sound/ncspot/ncspot-1.0.0.ebuild: rustix@0.37.27
media-sound/ncspot/ncspot-1.0.0.ebuild: rustix@0.38.28
media-sound/rescrobbled/rescrobbled-0.7.1.ebuild:       rustix@0.37.23
media-video/rav1e/rav1e-0.6.3.ebuild:   rustix-0.36.6
media-video/rav1e/rav1e-0.6.5.ebuild:   rustix-0.37.19
media-video/rav1e/rav1e-0.6.6.ebuild:   rustix-0.37.19
media-video/rav1e/rav1e-9999.ebuild:    rustix-0.37.19
net-analyzer/trippy/trippy-0.9.0.ebuild:        rustix@0.38.25
net-misc/hurl/hurl-4.1.0.ebuild:        rustix@0.38.14
net-misc/zerotier/zerotier-1.10.6.ebuild:       rustix@0.36.8
net-misc/zerotier/zerotier-1.12.2.ebuild:       rustix@0.38.8
net-p2p/arti/arti-1.1.11.ebuild:        rustix@0.37.27
net-p2p/arti/arti-1.1.11.ebuild:        rustix@0.38.26
net-p2p/arti/arti-1.1.12.ebuild:        rustix@0.37.27
net-p2p/arti/arti-1.1.12.ebuild:        rustix@0.38.28
sci-libs/tokenizers/tokenizers-0.14.1-r1.ebuild:        rustix@0.38.13
sci-libs/tokenizers/tokenizers-0.14.1-r1.ebuild:        rustix@0.38.24
sys-apps/amdgpu_top/amdgpu_top-0.5.0.ebuild:    rustix@0.38.28
sys-apps/bat/bat-0.24.0.ebuild: rustix@0.38.11
sys-apps/bat/bat-0.23.0-r1.ebuild:      rustix@0.36.8
sys-apps/eza/eza-0.11.1-r1.ebuild:      rustix@0.37.23
sys-apps/eza/eza-0.14.2.ebuild: rustix@0.38.13
sys-apps/eza/eza-0.15.3.ebuild: rustix@0.38.21
sys-apps/eza/eza-0.16.3.ebuild: rustix@0.38.21
sys-apps/eza/eza-0.17.0.ebuild: rustix@0.38.21
sys-apps/eza/eza-0.17.1.ebuild: rustix@0.38.21
sys-apps/fd/fd-8.7.0.ebuild:    rustix-0.35.12
sys-apps/fd/fd-8.7.0.ebuild:    rustix-0.36.6
sys-apps/lsd/lsd-1.0.0.ebuild:rustix@0.36.7
sys-apps/syd/syd-3.9.13.ebuild: rustix@0.36.17
sys-apps/syd/syd-3.9.13.ebuild: rustix@0.38.28
sys-apps/uutils-coreutils/uutils-coreutils-0.0.23.ebuild:       rustix@0.37.26
sys-apps/uutils-coreutils/uutils-coreutils-0.0.23.ebuild:       rustix@0.38.21
sys-apps/uutils-coreutils/uutils-coreutils-9999.ebuild: rustix@0.37.26
sys-apps/uutils-coreutils/uutils-coreutils-9999.ebuild: rustix@0.38.21
sys-apps/uutils-findutils/uutils-findutils-0.4.2-r1.ebuild:     rustix@0.38.25
sys-apps/uutils-findutils/uutils-findutils-9999.ebuild: rustix@0.37.20
sys-apps/uutils-findutils/uutils-findutils-9999.ebuild: rustix@0.38.4
sys-block/dust/dust-0.8.6.ebuild:       rustix-0.37.19
sys-block/thin-provisioning-tools/thin-provisioning-tools-1.0.6.ebuild:         rustix@0.38.6
sys-block/thin-provisioning-tools/thin-provisioning-tools-1.0.9.ebuild: rustix@0.38.27
sys-block/thin-provisioning-tools/thin-provisioning-tools-1.0.10.ebuild:        rustix@0.38.30
sys-block/thin-provisioning-tools/thin-provisioning-tools-9999.ebuild:  rustix@0.38.30
sys-fs/bcachefs-tools/bcachefs-tools-1.3.5_p20231216.ebuild:    rustix@0.37.27
sys-fs/bcachefs-tools/bcachefs-tools-1.3.5_p20231216.ebuild:    rustix@0.38.25
sys-fs/bcachefs-tools/bcachefs-tools-1.4.0.ebuild:      rustix@0.37.27
sys-fs/bcachefs-tools/bcachefs-tools-1.4.0.ebuild:      rustix@0.38.25
sys-process/below/below-0.7.0.ebuild:   rustix-0.35.12
sys-process/below/below-0.7.0.ebuild:   rustix-0.37.11
sys-process/below/below-0.7.1.ebuild:   rustix@0.35.12
sys-process/below/below-0.7.1.ebuild:   rustix@0.37.11
sys-process/bottom/bottom-0.9.6.ebuild: rustix-0.37.23
sys-process/bottom/bottom-0.9.6.ebuild: rustix-0.38.9
sys-process/procs/procs-0.14.4.ebuild:  rustix@0.37.27
sys-process/procs/procs-0.14.4.ebuild:  rustix@0.38.21
www-apps/nextcloud-notify_push/nextcloud-notify_push-0.6.6.ebuild:rustix@0.38.7
x11-terms/alacritty/alacritty-0.13.1.ebuild:    rustix-openpty@0.1.1
x11-terms/alacritty/alacritty-0.13.1.ebuild:    rustix@0.38.25
x11-terms/wezterm/wezterm-20230408.112425.ebuild:       rustix-0.36.11
x11-terms/wezterm/wezterm-20230408.112425.ebuild:       rustix-0.37.6
x11-terms/wezterm/wezterm-20230712.072601.ebuild:       rustix@0.37.23
x11-terms/wezterm/wezterm-20230712.072601.ebuild:       rustix@0.38.3

I have not investigated whether these ebuilds use rustix in a way that makes them vulnerable, only whether they use a known vulnerable version of rustix.

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2024-01-21 04:02:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8669fa28f8061c98753da87e905d86d47f981e2

commit e8669fa28f8061c98753da87e905d86d47f981e2
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-01-21 02:46:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-21 03:57:58 +0000

    app-misc/rpick: Add 0.9.1
    
    This addresses two security issues in dependencies, though it is not
    known whether rpick is vulnerable to the issues:
    
    * RUSTSEC-2023-0075: Update unsafe-libyaml to 0.2.10
      - https://github.com/bowlofeggs/rpick/pull/353
      - https://rustsec.org/advisories/RUSTSEC-2023-0075.html
    * GHSA-c827-hfw6-qwvm: Update rustix to 0.38.30
      - https://github.com/bowlofeggs/rpick/pull/359
      - https://github.com/advisories/GHSA-c827-hfw6-qwvm
    
    Bug: https://bugs.gentoo.org/922588
    Bug: https://bugs.gentoo.org/922589
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Closes: https://github.com/gentoo/gentoo/pull/34929
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/rpick/Manifest           |  66 ++++++++++++++++++
 app-misc/rpick/rpick-0.9.1.ebuild | 139 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 205 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-02-06 03:41:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6068510a96e1a9d6656d31f3a61e2b0adc4c15f0

commit 6068510a96e1a9d6656d31f3a61e2b0adc4c15f0
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-02-05 23:21:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-02-06 03:40:27 +0000

    app-misc/rpick: Drop 0.9.0
    
    Bug: https://bugs.gentoo.org/922588
    Bug: https://bugs.gentoo.org/922589
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Closes: https://github.com/gentoo/gentoo/pull/35198
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/rpick/Manifest           |  73 -------------------
 app-misc/rpick/rpick-0.9.0.ebuild | 146 --------------------------------------
 2 files changed, 219 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7bce99fa59aa3b880bea298ffb55514386c42a8

commit f7bce99fa59aa3b880bea298ffb55514386c42a8
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-02-05 23:19:56 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-02-06 03:40:27 +0000

    app-misc/rpick: Drop 0.8.12
    
    Bug: https://bugs.gentoo.org/922588
    Bug: https://bugs.gentoo.org/922589
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/rpick/Manifest            |  59 -----------------
 app-misc/rpick/rpick-0.8.12.ebuild | 125 -------------------------------------
 2 files changed, 184 deletions(-)