From 868651a1c2e48c4d4e39a43a1c72d69b1fa5dde9 Mon Sep 17 00:00:00 2001 From: JOE1994 Date: Wed, 27 Jan 2021 10:46:49 -0500 Subject: [PATCH 1/2] Report 0110-libp2p-deflate to RustSec --- crates/libp2p-deflate/RUSTSEC-0000-0000.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 crates/libp2p-deflate/RUSTSEC-0000-0000.md diff --git a/crates/libp2p-deflate/RUSTSEC-0000-0000.md b/crates/libp2p-deflate/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..325126e --- /dev/null +++ b/crates/libp2p-deflate/RUSTSEC-0000-0000.md @@ -0,0 +1,20 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "libp2p-deflate" +date = "2020-01-24" +url = "https://github.com/libp2p/rust-libp2p/issues/1932" +categories = ["memory-exposure"] + +[versions] +patched = [">= 0.27.1"] +``` + +# Undefined data exposed in DeflateOutput's AsyncRead implementation + +Affected versions of this crate passes an uninitialized buffer to a user-provided trait function `AsyncRead::poll_read()`. + +Arbitrary `AsyncRead::poll_read()` implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. +Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior. + +The flaw was fixed in commit 5ba266a by ensuring the newly allocated part of the buffer is zero-initialized before passing it to a user-provided `AsyncRead::poll_read()`. From 0788bf440fb7886002f105b2474e60065d44426b Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Wed, 27 Jan 2021 17:02:15 +0100 Subject: [PATCH 2/2] reword title --- crates/libp2p-deflate/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/libp2p-deflate/RUSTSEC-0000-0000.md b/crates/libp2p-deflate/RUSTSEC-0000-0000.md index 325126e..3813f58 100644 --- a/crates/libp2p-deflate/RUSTSEC-0000-0000.md +++ b/crates/libp2p-deflate/RUSTSEC-0000-0000.md @@ -10,7 +10,7 @@ categories = ["memory-exposure"] patched = [">= 0.27.1"] ``` -# Undefined data exposed in DeflateOutput's AsyncRead implementation +# Contents of uninitialized memory exposed in DeflateOutput's AsyncRead implementation Affected versions of this crate passes an uninitialized buffer to a user-provided trait function `AsyncRead::poll_read()`.