From f2c5747e9f0379cd716c7c2c4db072254bb42faa Mon Sep 17 00:00:00 2001 From: Uli Schlachter Date: Thu, 4 Feb 2021 19:39:45 +0100 Subject: [PATCH 1/2] Report various rust-xcb issues to RustSec Closes: https://github.com/RustSec/advisory-db/issues/653 --- crates/xcb/RUSTSEC-0000-0000.md | 70 +++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 crates/xcb/RUSTSEC-0000-0000.md diff --git a/crates/xcb/RUSTSEC-0000-0000.md b/crates/xcb/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..f0018c8 --- /dev/null +++ b/crates/xcb/RUSTSEC-0000-0000.md @@ -0,0 +1,70 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "xcb" +date = "2021-02-04" +categories = ["memory-corruption", "memory-exposure"] + +[versions] +patched = [] +``` + +# Multiple soundness issues and unmaintained + +## Calls `std::str::from_utf8_unchecked()` without any checks + +The function `xcb::xproto::GetAtomNameReply::name()` calls +`std::str::from_utf8_unchecked()` on the raw bytes that were received from the +X11 server without any validity checks. The X11 server only prevents interior +null bytes, but otherwise allows any X11 client to create an atom for arbitrary +bytes. + +This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/96 + +## `xcb::xproto::GetPropertyReply::value()` allows arbitrary return types + +The function `xcb::xproto::GetPropertyReply::value()` returns a slice of type +`T` where `T` is an unconstrained type parameter. The raw bytes received from +the X11 server are interpreted as the requested type. + +The users of the `xcb` crate are advised to only call this function with the +intended types. These are `u8`, `u16`, and `u32`. + +This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/95 + +## Out of bounds read in `xcb::xproto::change_property()` + +`xcb::xproto::change_property` has (among others) the arguments `format: u8` and +`data: &[T]`. The intended use is one of the following cases: +- `format = 8` and `T = u8` +- `format = 16` and `T = u16` +- `format = 32` and `T = u32` +However, this constraint is not enforced. For example, it is possible to call +the function with `format = 32` and `T = u8`. In this case, a read beyond the +end of the `data` slice is performed and the bytes are sent to the X11 server. + +The users of the `xcb` crate are advised to only call this function with one of +the intended argument combinations. + +This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/94 + +## 'Safe' wrapper around `std::mem::transmute()` + +The function `xcb::base::cast_event()` takes a reference to a +`xcb::base::GenericEvent` and returns a reference to an arbitrary type, as +requested by the caller (or found via type interference). The function is +implemented as a direct call to `std::mem::transmute()`. Since the return type +is not constrained, this allows transmution to an incorrect type or a type that +is larger than the X11 event that was passed in. + +X11 events are mostly always 32 bytes large and this function works as intended. + +Users are advised to only cast to the event structs provided by the `xcb` crate +(and hope for the best). + +This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/78 + +## xcb is unmaintained + +The `xcb` crate is no longer maintained by its current owner and a replacement +is sought. From 2253445a0829ddc97f2ed2929c750f24d52b614b Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Thu, 4 Feb 2021 20:54:11 +0100 Subject: [PATCH 2/2] Update RUSTSEC-0000-0000.md --- crates/xcb/RUSTSEC-0000-0000.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/crates/xcb/RUSTSEC-0000-0000.md b/crates/xcb/RUSTSEC-0000-0000.md index f0018c8..5e2dc83 100644 --- a/crates/xcb/RUSTSEC-0000-0000.md +++ b/crates/xcb/RUSTSEC-0000-0000.md @@ -9,7 +9,7 @@ categories = ["memory-corruption", "memory-exposure"] patched = [] ``` -# Multiple soundness issues and unmaintained +# Multiple soundness issues ## Calls `std::str::from_utf8_unchecked()` without any checks @@ -63,8 +63,3 @@ Users are advised to only cast to the event structs provided by the `xcb` crate (and hope for the best). This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/78 - -## xcb is unmaintained - -The `xcb` crate is no longer maintained by its current owner and a replacement -is sought.