CVE-2020-36317: In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the same string. CVE-2021-36318: In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free. CVE-2021-28875: In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow. CVE-2021-28876: In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. CVE-2021-28877: In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. CVE-2021-28878: In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. CVE-2021-28879: In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again.
CVE-2021-31162: In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65b9e4c1a1c3a2de55637c7977584c5827b66366 commit 65b9e4c1a1c3a2de55637c7977584c5827b66366 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-18 01:23:09 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-18 01:23:24 +0000 dev-lang/rust: security revbump of 1.51.0 Fixes for: CVE-2020-36323 CVE-2021-28876 CVE-2021-31162 Bug: https://bugs.gentoo.org/782799 Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/files/1.51.0-CVE-2020-36323.patch | 175 +++++++ dev-lang/rust/files/1.51.0-CVE-2021-28876.patch | 39 ++ dev-lang/rust/files/1.51.0-CVE-2021-28878.patch | 112 +++++ dev-lang/rust/files/1.51.0-CVE-2021-28879.patch | 84 ++++ dev-lang/rust/files/1.51.0-CVE-2021-31162.patch | 195 ++++++++ dev-lang/rust/rust-1.51.0-r1.ebuild | 622 ++++++++++++++++++++++++ 6 files changed, 1227 insertions(+)
I'll focus on 1.51.0 and will avoid older versions. fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply cleanly and need porting/rebasing. will do later.
(In reply to Georgy Yakovlev from comment #3) > I'll focus on 1.51.0 and will avoid older versions. > > fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply > cleanly and need porting/rebasing. will do later. but haven't you added patches refering to those two CVE in the last commit? In any case, you can pull in nicely rebased patches from fedora.
(In reply to tt_1 from comment #4) > (In reply to Georgy Yakovlev from comment #3) > > I'll focus on 1.51.0 and will avoid older versions. > > > > fixes still needed for CVE-2021-28878 CVE-2021-28879, patches do not apply > > cleanly and need porting/rebasing. will do later. > > but haven't you added patches refering to those two CVE in the last commit? > In any case, you can pull in nicely rebased patches from fedora. I did, but those are unused intentionally, just left them in the files/ to rebase later. thanks, will check fedora's patches.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9982cad131a4c026810796850ccb60243ff9406 commit c9982cad131a4c026810796850ccb60243ff9406 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-18 10:28:48 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-18 10:29:23 +0000 dev-lang/rust: security revbump with 2 more patches switched to fedora's rebased patches Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> ...3.patch => rustc-1.51.0-backport-pr81728.patch} | 26 ++++--- ...6.patch => rustc-1.51.0-backport-pr81741.patch} | 11 ++- ...9.patch => rustc-1.51.0-backport-pr82289.patch} | 32 +++++--- ...8.patch => rustc-1.51.0-backport-pr82292.patch} | 36 +++++---- ...2.patch => rustc-1.51.0-backport-pr83629.patch} | 89 +++++----------------- ...rust-1.51.0-r1.ebuild => rust-1.51.0-r2.ebuild} | 10 +-- 6 files changed, 91 insertions(+), 113 deletions(-)
idk what to do with rust-bin btw, as it can't be patched =) we can try to fast-track new release one it out and if it contains patches.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45 commit 78b40d2e6a9eb40ce44a8b1177bb759aa41d4f45 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-18 11:24:31 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-18 11:26:25 +0000 dev-lang/rust: drop rust-1.51.0 Bug: https://bugs.gentoo.org/782367 Bug: https://bugs.gentoo.org/782799 Closes: https://bugs.gentoo.org/783468 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/rust-1.51.0.ebuild | 617 --------------------------------------- 1 file changed, 617 deletions(-)
amd64 done
x86 done
ppc64 done
arm64 done
arm done all arches done
cleanup of all old versions done. rust-bin-1.51.0 is still vulnerable rust-1.51.0-r2 is not
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bce433a93aac36134e9826557e90c328077a34f2 commit bce433a93aac36134e9826557e90c328077a34f2 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-27 18:28:13 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-27 18:28:28 +0000 dev-java/openjdk-jre-bin: drop old 11 Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 2 - .../openjdk-jre-bin-11.0.10_p9.ebuild | 97 ---------------------- .../openjdk-jre-bin-11.0.9_p11.ebuild | 97 ---------------------- 3 files changed, 196 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a56dd109509399af44cec59a2158136f95d359b commit 1a56dd109509399af44cec59a2158136f95d359b Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-27 18:27:30 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-27 18:28:28 +0000 dev-java/openjdk: drop old 11 Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk/Manifest | 2 - dev-java/openjdk/openjdk-11.0.10_p9.ebuild | 272 ----------------------------- dev-java/openjdk/openjdk-11.0.9_p11.ebuild | 272 ----------------------------- 3 files changed, 546 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c75e137e7d8f5a747f27d597df6c9a356a20ea3f commit c75e137e7d8f5a747f27d597df6c9a356a20ea3f Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-04-27 18:26:28 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-04-27 18:28:27 +0000 dev-java/openjdk-bin: drop old 11.x Bug: https://bugs.gentoo.org/782367 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-bin/Manifest | 9 -- dev-java/openjdk-bin/openjdk-bin-11.0.10_p9.ebuild | 132 --------------------- dev-java/openjdk-bin/openjdk-bin-11.0.9_p11.ebuild | 111 ----------------- 3 files changed, 252 deletions(-)
^ oops, wrong bug, sorry for spam and sorry for more spam.
Unable to check for sanity: > no match for package: dev-lang/rust-1.51.0-r2
cleanup done
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=cda5f646cd9bc370223b79be59deee389a0caeef commit cda5f646cd9bc370223b79be59deee389a0caeef Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:43:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:45:25 +0000 [ GLSA 202210-09 ] Rust: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/782367 Bug: https://bugs.gentoo.org/807052 Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/831638 Bug: https://bugs.gentoo.org/870166 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-09.xml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+)
GLSA released, all done!