Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 782367 (CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162, CVE-2021-36317, CVE-2021-36318) - <dev-lang/rust{-bin,}-1.52.0: multiple vulnerabilities (CVE-2021-{28875,28876,28877,28878,28879,31162,36317,36318})
Summary: <dev-lang/rust{-bin,}-1.52.0: multiple vulnerabilities (CVE-2021-{28875,28876...
Status: IN_PROGRESS
Alias: CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162, CVE-2021-36317, CVE-2021-36318
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-11 22:51 UTC by John Helmert III
Modified: 2021-07-03 15:47 UTC (History)
3 users (show)

See Also:
Package list:
dev-lang/rust-1.51.0-r2 dev-lang/rust-bin-1.51.0 virtual/rust-1.51.0
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-04-11 22:51:20 UTC
CVE-2020-36317:

In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the same string.

CVE-2021-36318:

In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.

CVE-2021-28875:

In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.

CVE-2021-28876:

In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.

CVE-2021-28877:

In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.

CVE-2021-28878:

In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.

CVE-2021-28879:

In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again.
Comment 1 John Helmert III gentoo-dev Security 2021-04-18 00:42:23 UTC
CVE-2021-31162:

In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
Comment 2 Larry the Git Cow gentoo-dev 2021-04-18 01:24:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65b9e4c1a1c3a2de55637c7977584c5827b66366

commit 65b9e4c1a1c3a2de55637c7977584c5827b66366
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-18 01:23:09 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-18 01:23:24 +0000

    dev-lang/rust: security revbump of 1.51.0
    
    Fixes for:
    CVE-2020-36323
    CVE-2021-28876
    CVE-2021-31162
    
    Bug: https://bugs.gentoo.org/782799
    Bug: https://bugs.gentoo.org/782367
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/files/1.51.0-CVE-2020-36323.patch | 175 +++++++
 dev-lang/rust/files/1.51.0-CVE-2021-28876.patch |  39 ++
 dev-lang/rust/files/1.51.0-CVE-2021-28878.patch | 112 +++++
 dev-lang/rust/files/1.51.0-CVE-2021-28879.patch |  84 ++++
 dev-lang/rust/files/1.51.0-CVE-2021-31162.patch | 195 ++++++++
 dev-lang/rust/rust-1.51.0-r1.ebuild             | 622 ++++++++++++++++++++++++
 6 files changed, 1227 insertions(+)
Comment 3 Georgy Yakovlev gentoo-dev 2021-04-18 01:25:36 UTC
I'll focus on 1.51.0 and will avoid older versions.

fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply cleanly and need porting/rebasing. will do later.
Comment 4 tt_1 2021-04-18 07:50:49 UTC
(In reply to Georgy Yakovlev from comment #3)
> I'll focus on 1.51.0 and will avoid older versions.
> 
> fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply
> cleanly and need porting/rebasing. will do later.

but haven't you added patches refering to those two CVE in the last commit? In any case, you can pull in nicely rebased patches from fedora.
Comment 5 Georgy Yakovlev gentoo-dev 2021-04-18 10:15:41 UTC
(In reply to tt_1 from comment #4)
> (In reply to Georgy Yakovlev from comment #3)
> > I'll focus on 1.51.0 and will avoid older versions.
> > 
> > fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply
> > cleanly and need porting/rebasing. will do later.
> 
> but haven't you added patches refering to those two CVE in the last commit?
> In any case, you can pull in nicely rebased patches from fedora.

I did, but those are unused intentionally, just left them in the files/ to rebase later.
thanks, will check fedora's patches.
Comment 6 Larry the Git Cow gentoo-dev 2021-04-18 10:30:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9982cad131a4c026810796850ccb60243ff9406

commit c9982cad131a4c026810796850ccb60243ff9406
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-18 10:28:48 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-18 10:29:23 +0000

    dev-lang/rust: security revbump with 2 more patches
    
    switched to fedora's rebased patches
    
    Bug: https://bugs.gentoo.org/782367
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 ...3.patch => rustc-1.51.0-backport-pr81728.patch} | 26 ++++---
 ...6.patch => rustc-1.51.0-backport-pr81741.patch} | 11 ++-
 ...9.patch => rustc-1.51.0-backport-pr82289.patch} | 32 +++++---
 ...8.patch => rustc-1.51.0-backport-pr82292.patch} | 36 +++++----
 ...2.patch => rustc-1.51.0-backport-pr83629.patch} | 89 +++++-----------------
 ...rust-1.51.0-r1.ebuild => rust-1.51.0-r2.ebuild} | 10 +--
 6 files changed, 91 insertions(+), 113 deletions(-)
Comment 7 Georgy Yakovlev gentoo-dev 2021-04-18 11:05:46 UTC
idk what to do with rust-bin btw, as it can't be patched =)

we can try to fast-track new release one it out and if it contains patches.
Comment 8 Larry the Git Cow gentoo-dev 2021-04-18 11:27:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45

commit 78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-18 11:24:31 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-18 11:26:25 +0000

    dev-lang/rust: drop rust-1.51.0
    
    Bug: https://bugs.gentoo.org/782367
    Bug: https://bugs.gentoo.org/782799
    Closes: https://bugs.gentoo.org/783468
    
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/rust-1.51.0.ebuild | 617 ---------------------------------------
 1 file changed, 617 deletions(-)
Comment 9 Sam James archtester gentoo-dev Security 2021-04-22 20:11:38 UTC
amd64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-04-22 20:12:22 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-04-22 20:21:31 UTC
x86 done
Comment 12 Georgy Yakovlev gentoo-dev 2021-04-23 00:43:49 UTC
ppc64 done
Comment 13 Sam James archtester gentoo-dev Security 2021-04-23 13:33:16 UTC
arm64 done
Comment 14 Sam James archtester gentoo-dev Security 2021-04-23 13:33:18 UTC
arm done

all arches done
Comment 15 Georgy Yakovlev gentoo-dev 2021-04-27 18:00:14 UTC
cleanup of all old versions done.

rust-bin-1.51.0 is still vulnerable
rust-1.51.0-r2 is not
Comment 16 Larry the Git Cow gentoo-dev 2021-04-27 18:28:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bce433a93aac36134e9826557e90c328077a34f2

commit bce433a93aac36134e9826557e90c328077a34f2
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-27 18:28:13 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-27 18:28:28 +0000

    dev-java/openjdk-jre-bin: drop old 11
    
    Bug: https://bugs.gentoo.org/782367
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  2 -
 .../openjdk-jre-bin-11.0.10_p9.ebuild              | 97 ----------------------
 .../openjdk-jre-bin-11.0.9_p11.ebuild              | 97 ----------------------
 3 files changed, 196 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a56dd109509399af44cec59a2158136f95d359b

commit 1a56dd109509399af44cec59a2158136f95d359b
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-27 18:27:30 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-27 18:28:28 +0000

    dev-java/openjdk: drop old 11
    
    Bug: https://bugs.gentoo.org/782367
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                  |   2 -
 dev-java/openjdk/openjdk-11.0.10_p9.ebuild | 272 -----------------------------
 dev-java/openjdk/openjdk-11.0.9_p11.ebuild | 272 -----------------------------
 3 files changed, 546 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c75e137e7d8f5a747f27d597df6c9a356a20ea3f

commit c75e137e7d8f5a747f27d597df6c9a356a20ea3f
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-27 18:26:28 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-27 18:28:27 +0000

    dev-java/openjdk-bin: drop old 11.x
    
    Bug: https://bugs.gentoo.org/782367
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-bin/Manifest                      |   9 --
 dev-java/openjdk-bin/openjdk-bin-11.0.10_p9.ebuild | 132 ---------------------
 dev-java/openjdk-bin/openjdk-bin-11.0.9_p11.ebuild | 111 -----------------
 3 files changed, 252 deletions(-)
Comment 17 Georgy Yakovlev gentoo-dev 2021-04-27 18:29:21 UTC
^ oops, wrong bug, sorry for spam and sorry for more spam.
Comment 18 NATTkA bot gentoo-dev 2021-07-03 07:04:32 UTC
Unable to check for sanity:

> no match for package: dev-lang/rust-1.51.0-r2
Comment 19 Georgy Yakovlev gentoo-dev 2021-07-03 07:08:37 UTC
cleanup done