From 7b0c69752010e65b09573eb9245987ff7f7f0c6c Mon Sep 17 00:00:00 2001
From: "pinkforest(she/her)" <36498018+pinkforest@users.noreply.github.com>
Date: Tue, 10 Jan 2023 01:08:18 +1100
Subject: [PATCH] Add `tokio` CVE-2023-22466 (#1510)

* Add tokio CVE-2023-22466

* Syntax

* Syntax

* Syntax
---
 crates/tokio/RUSTSEC-0000-0000.md | 39 +++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 crates/tokio/RUSTSEC-0000-0000.md

diff --git a/crates/tokio/RUSTSEC-0000-0000.md b/crates/tokio/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..01b1274
--- /dev/null
+++ b/crates/tokio/RUSTSEC-0000-0000.md
@@ -0,0 +1,39 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "tokio"
+aliases = ["CVE-2023-22466", "GHSA-7rrj-xr53-82p7"]
+date = "2023-01-04"
+url = "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7"
+references = ["https://github.com/tokio-rs/tokio/pull/5336", "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients"]
+keywords = ["configuration failure"]
+
+[versions]
+patched = [">= 1.18.4, < 1.19.0", ">= 1.20.3, < 1.21.0", ">= 1.23.1"]
+unaffected = ["< 1.7.0"]
+
+[affected]
+os = ["windows"]
+```
+
+# reject_remote_clients Configuration corruption
+
+On Windows, configuring a named pipe server with [pipe_mode] will force [ServerOptions]::[reject_remote_clients] as `false`.
+
+This drops any intended explicit configuration for the [reject_remote_clients] that may have been set as `true` previously.
+
+The default setting of [reject_remote_clients] is normally `true` meaning the default is also overriden as `false`.
+
+## Workarounds
+
+Ensure that [pipe_mode] is set first after initializing a [ServerOptions]. For example:
+
+```rust
+let mut opts = ServerOptions::new();
+opts.pipe_mode(PipeMode::Message);
+opts.reject_remote_clients(true);
+```
+
+[ServerOptions]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html
+[pipe_mode]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html#method.pipe_mode
+[reject_remote_clients]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html#method.reject_remote_clients
\ No newline at end of file