In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
The versioning here doesn’t seem to make sense. There haven’t been 1.50.x releases for x > 0, nor will there be, since 1.51 has already been released.
Sorry, I should have double checked first. As you mentioned 1.50.3 doesn't exist, and also the commit containing the fix was merged after 1.51.0 was tagged (so 1.51.0 should be vulnerable too).
Maybe this is a duplicate for bug 782367?
Not a dupe.
Can you maybe try to get this backported to one of the llvm-11 based versions of dev-lang/rust in the tree? To my layman eye it seems possible to easily backport this to dev-lang/rust-1.47.0-r2, and having a backport to this version (or any other llvm-11 based stable canidate) will save everyone from updating their whole toolchain to llvm-12.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65b9e4c1a1c3a2de55637c7977584c5827b66366 commit 65b9e4c1a1c3a2de55637c7977584c5827b66366 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-18 01:23:09 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-18 01:23:24 +0000 dev-lang/rust: security revbump of 1.51.0 Fixes for: CVE-2020-36323 CVE-2021-28876 CVE-2021-31162 Bug: https://bugs.gentoo.org/782799 Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/files/1.51.0-CVE-2020-36323.patch | 175 +++++++ dev-lang/rust/files/1.51.0-CVE-2021-28876.patch | 39 ++ dev-lang/rust/files/1.51.0-CVE-2021-28878.patch | 112 +++++ dev-lang/rust/files/1.51.0-CVE-2021-28879.patch | 84 ++++ dev-lang/rust/files/1.51.0-CVE-2021-31162.patch | 195 ++++++++ dev-lang/rust/rust-1.51.0-r1.ebuild | 622 ++++++++++++++++++++++++ 6 files changed, 1227 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45 commit 78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-18 11:24:31 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-18 11:26:25 +0000 dev-lang/rust: drop rust-1.51.0 Bug: https://bugs.gentoo.org/782367 Bug: https://bugs.gentoo.org/782799 Closes: https://bugs.gentoo.org/783468 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/rust-1.51.0.ebuild | 617 --------------------------------------- 1 file changed, 617 deletions(-)
cleanup done
Package list is empty or all packages have requested keywords.
I get an email every two hours, citing that --- from NATTkA bot <nattka@gentoo.org> --- Package list is empty or all packages have requested keywords. can you please stop that? Thanks
(In reply to tt_1 from comment #15) > I get an email every two hours, citing that > > --- from NATTkA bot <nattka@gentoo.org> --- > Package list is empty or all packages have requested keywords. > > can you please stop that? Thanks I think it's stopped now, but if you want to watch the security alias on Bugzilla for updates on security bugs in Gentoo, then you probably don't care about NATTkA comments and can safely ignore mails from the bot based on the "X-Bugzilla-Who: nattka@gentoo.org" header.
