rust-stackvector package is vulnerable to CVE-2021-29939

  • Done
  • quality assurance status badge
Details
2 participants
  • Léo Le Bouter
  • zimoun
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 1 Apr 2021 15:47
(address . bug-guix@gnu.org)
5880a0d2db58bae9f641e746f405fe4cd0e1bca3.camel@zaclys.net
CVE-2021-29939 07:15
An issue was discovered in the stackvector crate through 2021-02-19 for
Rust. There is an out-of-bounds write in StackVec::extend if size_hint
provides certain anomalous data.

No fix released upstream yet:

Out of bounds write sounds like it could have dangerous consequences,
not sure how likely is "size_hint provides certain anomalous data"
though.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBlzwcACgkQRaix6GvN
EKazwA//ZG+U8hJ1tuaHCCzjr9Dn5hcEF2KDVF9qFTYU9E+8t6xb7vlOJY8BaKRU
vH5mun34RYDl1b1VnQ1n1XOmk29cZyU1xa8w2Wv4LIjD7ByjyfqVQ4p64AODEAX/
Evg8V8CBx176ANgcVYqC0d1QlBVkyEMvs54qDk+WxGqLWrxzPPgyPQvoGl7ZT6M2
5aqXUMDwvL0HVGSMr3NiI00s5uAmY1STKNUktGu7APmdMAZj9Zd96NNOiZGRgn0b
wZ0I0t7NrUNNam4RjGYYc7quyHJVZFD107R3eEbN7BX4AyZm9LXuTwxa/EALBQyD
SizLRGmjs3/70IQln7u78PU7FTzAQe6RIDxMEqB+jQMrFC8xZ8ltiuG+FCtWhrzN
l4OfoCLZjAwCxW2P3RGeF6YxmMrfAIBTXaTUWQHBO3sMRRmmWX3yr5ozo+2bgWpr
Yc1TmkGgkHE3bENNMGnXp5G7+hyd+DS/0iIB+TL7gNT0FnzrXfoF2neU+1o6hHkt
UfJ7oCd46Ss2P7KTB7UMPVKLofeXclPP+b+W2M0c8RQkNr3EDzT6PX3ugrA2ASEP
SL/G5icXR1I0R7kQKe5+dl358O+jesWcY1JlkW52O32ka+SUcZ9lKaCEbzHwGUDw
ri7j0w2m+8lVt1/ebjQSJsCbOrbosUSwEIjDzAtjP4PF+gxBmcQ=
=oBOJ
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 1 Apr 2021 15:48
(address . control@debbugs.gnu.org)
06f7440304edd37fb4282849db818c23805c7229.camel@zaclys.net
tags 47542 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBlzyMACgkQRaix6GvN
EKakmw//SfXShyruJQ2+MoJTwMMDJmjbkMZqyCAP0TYGxo6S/Lxj7DqSrtdI4Tq/
UhtmViaWLjT5+61WXLUi3T3g+pLDk6Dr8c7/6CP+fII5YxexbyNGIje+omIzwZOJ
gLpTrMNwWtBz4dzpYVyABsCAALSFddy+JjdnkQh4mvRVnaqckMY+U40W4gssgA1N
i9hcwVRBQ89Zo5a1NHarwMXQeNc2158t7oK5o1JhI1W3PeEYAHX7IogFrLaO8RpO
eUc19jQrMaCg5hnSgCTpl8l9y9Vc6m0nA7UUJvrY4XOkA/X0KmrRKq5bTIIafXZH
Oewd34i2oEnyrhwxB3jxJu013D8R7aZKxGmqFShIWsenJxf0olNn2tFP/ZRYtIcW
abv/j1nOFWW7fNvFi5ZBUAxTpmYOqwAaArNtQnEfmceOYkpDVWYGBnr4IgsbaA+a
Mm5usRQJbTyY4vBh7XLaq8wB1KjHyWKU/z/k0fJeYkff7//rA2MaBJcqC+bYnHZ/
e/ITX9zqj7nlZi/wjHtXE6LTsT6G5QGcyT+vB/d4SVHsaIUJCuccCW86aZIP9Lzy
HaV5luZWoDH0A4f2Yviqj46DXRNjh3a9A4Zb1rtLIr1t64CII3weXULrMai6ZpjN
Fz61CvKW1/jmELKFoMgqURTIJ4yVqNrK+cV2SI5FDGvZbfG1J78=
=9sfG
-----END PGP SIGNATURE-----


Z
Z
zimoun wrote on 28 Jun 2021 10:06
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47542@debbugs.gnu.org)
86y2aufm6l.fsf@gmail.com
Hi,

On Thu, 01 Apr 2021 at 15:47, Léo Le Bouter <lle-bout@zaclys.net> wrote:
Toggle quote (12 lines)
> CVE-2021-29939 07:15
> An issue was discovered in the stackvector crate through 2021-02-19 for
> Rust. There is an out-of-bounds write in StackVec::extend if size_hint
> provides certain anomalous data.
>
> No fix released upstream yet:
> https://github.com/Alexhuszagh/rust-stackvector/issues/2
>
> Out of bounds write sounds like it could have dangerous consequences,
> not sure how likely is "size_hint provides certain anomalous data"
> though.

Thanks for the report.

Commit 015cd2e86e779907085d356c69b6091dc8ac1788 updating to 1.1.1 should
fix the security issue; as upstream said. So, closing.

All the best,
simon
Z
Z
zimoun wrote on 28 Jun 2021 10:06
control message for bug #47542
(address . control@debbugs.gnu.org)
86wnqefm6f.fsf@gmail.com
tags 47542 fixed
close 47542
quit
?