From 3c0458d26bd19e30dc19ae5ca9a4540cc9c0394b Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Tue, 26 Jun 2018 00:13:01 +0100 Subject: [PATCH] Assign RUSTSEC-2018-0001 to untrusted Original PR: https://github.com/RustSec/advisory-db/pull/24 --- Advisories.toml | 23 +++++++++++++++++++ ...-0000-0000.toml => RUSTSEC-2018-0001.toml} | 20 ---------------- 2 files changed, 23 insertions(+), 20 deletions(-) rename crates/untrusted/{RUSTSEC-0000-0000.toml => RUSTSEC-2018-0001.toml} (55%) diff --git a/Advisories.toml b/Advisories.toml index 2da985f..12a442c 100644 --- a/Advisories.toml +++ b/Advisories.toml @@ -88,3 +88,26 @@ will panic if the value is greater than 2^64/1000 and less than or equal to This flaw was corrected by explicitly checking for the `Max-Age` being in this integer range and clamping the value to the maximum duration value. """ + +[[advisory]] +id = "RUSTSEC-2018-0001" +package = "untrusted" +unaffected_versions = [] +patched_versions = [">= 0.6.2"] +dwf = [] +url = "https://github.com/briansmith/untrusted/pull/20" +title = "An integer underflow could lead to panic" +date = "2018-06-21" +description = """ +A mistake in error handling in untrusted before 0.6.2 could lead to an integer +underflow and panic if a user of the crate didn't properly check for errors +returned by untrusted. + +Combination of these two programming errors (one in untrusted and another by +user of this crate) could lead to a panic and maybe a denial of service of +affected software. + +The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also +advisable that users of untrusted check for their sources for cases where errors +returned by untrusted are not handled correctly. +""" diff --git a/crates/untrusted/RUSTSEC-0000-0000.toml b/crates/untrusted/RUSTSEC-2018-0001.toml similarity index 55% rename from crates/untrusted/RUSTSEC-0000-0000.toml rename to crates/untrusted/RUSTSEC-2018-0001.toml index 4d4ce16..6e3cc11 100644 --- a/crates/untrusted/RUSTSEC-0000-0000.toml +++ b/crates/untrusted/RUSTSEC-2018-0001.toml @@ -1,31 +1,11 @@ [advisory] package = "untrusted" - -# Versions which were never vulnerable unaffected_versions = [] - -# Versions which include fixes for this vulnerability patched_versions = [">= 0.6.2"] - -# It is strongly recommended to request a CVE, or alternatively a DWF, and -# reference the assigned number here. -# - CVE: https://iwantacve.org/ -# - DWF: https://distributedweaknessfiling.org/ dwf = [] -# dwf = ["CVE-YYYY-XXXX"] -# dwf = ["CVE-YYYY-XXXX", "CVE-ZZZZ-WWWW"] - -# URL to a long-form description of this issue, e.g. a blogpost announcing -# the release or a changelog entry (optional) url = "https://github.com/briansmith/untrusted/pull/20" - -# Single-line description of a vulnerability title = "An integer underflow could lead to panic" - -# Disclosure date of the advisory (RFC 3339) date = "2018-06-21" - -# Enter a short-form description of the vulnerability here (required) description = """ A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors