Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 782799 (CVE-2020-36323) - <dev-lang/rust{,bin}-1.52.0: uninitialized read in standard library function (CVE-2020-36323)
Summary: <dev-lang/rust{,bin}-1.52.0: uninitialized read in standard library function ...
Status: RESOLVED FIXED
Alias: CVE-2020-36323
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-14 08:38 UTC by Matt Smith
Modified: 2021-08-06 00:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Smith 2021-04-14 08:38:33 UTC
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
Comment 1 Dirkjan Ochtman gentoo-dev 2021-04-14 09:55:39 UTC
The versioning here doesn’t seem to make sense. There haven’t been 1.50.x releases for x > 0, nor will there be, since 1.51 has already been released.
Comment 2 Matt Smith 2021-04-14 10:41:52 UTC
Sorry, I should have double checked first.

As you mentioned 1.50.3 doesn't exist, and also the commit containing the fix was merged after 1.51.0 was tagged (so 1.51.0 should be vulnerable too).
Comment 3 Dirkjan Ochtman gentoo-dev 2021-04-14 13:11:49 UTC
Maybe this is a duplicate for bug 782367?
Comment 4 Thomas Deutschmann gentoo-dev Security 2021-04-14 15:24:43 UTC
Not a dupe.
Comment 5 tt_1 2021-04-17 06:40:18 UTC
Can you maybe try to get this backported to one of the llvm-11 based versions of dev-lang/rust in the tree? To my layman eye it seems possible to easily backport this to dev-lang/rust-1.47.0-r2, and having a backport to this version (or any other llvm-11 based stable canidate) will save everyone from updating their whole toolchain to llvm-12.
Comment 6 Larry the Git Cow gentoo-dev 2021-04-18 01:24:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65b9e4c1a1c3a2de55637c7977584c5827b66366

commit 65b9e4c1a1c3a2de55637c7977584c5827b66366
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-18 01:23:09 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-18 01:23:24 +0000

    dev-lang/rust: security revbump of 1.51.0
    
    Fixes for:
    CVE-2020-36323
    CVE-2021-28876
    CVE-2021-31162
    
    Bug: https://bugs.gentoo.org/782799
    Bug: https://bugs.gentoo.org/782367
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/files/1.51.0-CVE-2020-36323.patch | 175 +++++++
 dev-lang/rust/files/1.51.0-CVE-2021-28876.patch |  39 ++
 dev-lang/rust/files/1.51.0-CVE-2021-28878.patch | 112 +++++
 dev-lang/rust/files/1.51.0-CVE-2021-28879.patch |  84 ++++
 dev-lang/rust/files/1.51.0-CVE-2021-31162.patch | 195 ++++++++
 dev-lang/rust/rust-1.51.0-r1.ebuild             | 622 ++++++++++++++++++++++++
 6 files changed, 1227 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2021-04-18 11:26:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45

commit 78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-18 11:24:31 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-18 11:26:25 +0000

    dev-lang/rust: drop rust-1.51.0
    
    Bug: https://bugs.gentoo.org/782367
    Bug: https://bugs.gentoo.org/782799
    Closes: https://bugs.gentoo.org/783468
    
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/rust-1.51.0.ebuild | 617 ---------------------------------------
 1 file changed, 617 deletions(-)
Comment 8 Georgy Yakovlev gentoo-dev 2021-07-03 07:08:15 UTC
cleanup done
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:23:08 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:31:28 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:39:25 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:47:35 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:03:31 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 18:11:49 UTC
Package list is empty or all packages have requested keywords.
Comment 15 tt_1 2021-07-29 20:54:01 UTC
I get an email every two hours, citing that 

--- from NATTkA bot <nattka@gentoo.org> ---
Package list is empty or all packages have requested keywords.

can you please stop that? Thanks
Comment 16 John Helmert III gentoo-dev Security 2021-08-06 00:36:10 UTC
(In reply to tt_1 from comment #15)
> I get an email every two hours, citing that 
> 
> --- from NATTkA bot <nattka@gentoo.org> ---
> Package list is empty or all packages have requested keywords.
> 
> can you please stop that? Thanks

I think it's stopped now, but if you want to watch the security alias on Bugzilla for updates on security bugs in Gentoo, then you probably don't care about NATTkA comments and can safely ignore mails from the bot based on the "X-Bugzilla-Who: nattka@gentoo.org" header.