Merge branch 'master' into smuggling

README.md

@@ -52,6 +52,10 @@ url = "https://github.com/mystuff/mycrate/issues/123"
 # "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation"
 categories = ["crypto-failure"]
 
+# Optional: a Common Vulnerability Scoring System score. More information
+# can be found on the CVSS website, https://www.first.org/cvss/.
+#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+
 # Freeform keywords which describe this vulnerability, similar to Cargo (optional)
 keywords = ["ssl", "mitm"]
 

crates/bitvec/RUSTSEC-2020-0007.toml

@@ -0,0 +1,19 @@
+[advisory]
+id = "RUSTSEC-2020-0007"
+package = "bitvec"
+date = "2020-03-27"
+title = "use-after or double free of allocated memory"
+url = "https://github.com/myrrlyn/bitvec/issues/55"
+categories = ["memory-corruption"]
+description = """
+Conversion of `BitVec` to `BitBox` did not account for allocation movement.
+
+The flaw was corrected by using the address after resizing, rather than the original base address.
+"""
+
+[affected.functions]
+"bitvec::vec::BitVec::into_boxed_bitslice" = ["< 0.17.4, >= 0.11.0"]
+
+[versions]
+patched = [">= 0.17.4"]
+unaffected = ["< 0.11.0"]

crates/bumpalo/RUSTSEC-2020-0006.toml

@@ -0,0 +1,42 @@
+[advisory]
+id = "RUSTSEC-2020-0006"
+package = "bumpalo"
+date = "2020-03-24"
+title = "Flaw in `realloc` allows reading unknown memory"
+url = "https://github.com/fitzgen/bumpalo/issues/69"
+categories = ["memory-exposure"]
+description = """
+When `realloc`ing, if we allocate new space, we need to copy the old
+allocation's bytes into the new space. There are `old_size` number of bytes in
+the old allocation, but we were accidentally copying `new_size` number of bytes,
+which could lead to copying bytes into the realloc'd space from past the chunk
+that we're bump allocating out of, from unknown memory.
+
+If an attacker can cause `realloc`s, and can read the `realoc`ed data back,
+this could allow them to read things from other regions of memory that they
+shouldn't be able to. For example, if some crypto keys happened to live in
+memory right after a chunk we were bump allocating out of, this could allow
+the attacker to read the crypto keys.
+
+Beyond just fixing the bug and adding a regression test, I've also taken two
+additional steps:
+
+1. While we were already running the testsuite under `valgrind` in CI, because
+   `valgrind` exits with the same code that the program did, if there are
+   invalid reads/writes that happen not to trigger a segfault, the program can
+   still exit OK and we will be none the wiser. I've enabled the
+   `--error-exitcode=1` flag for `valgrind` in CI so that tests eagerly fail
+   in these scenarios.
+
+2. I've written a quickcheck test to exercise `realloc`. Without the bug fix
+   in this patch, this quickcheck immediately triggers invalid reads when run
+   under `valgrind`. We didn't previously have quickchecks that exercised
+   `realloc` beacuse `realloc` isn't publicly exposed directly, and instead
+   can only be indirectly called. This new quickcheck test exercises `realloc`
+   via `bumpalo::collections::Vec::resize` and
+   `bumpalo::collections::Vec::shrink_to_fit` calls.
+"""
+
+[versions]
+patched = [">= 3.2.1"]
+unaffected = ["< 3.0.0"]

crates/cbox/RUSTSEC-2020-0005.toml

@@ -0,0 +1,15 @@
+[advisory]
+id = "RUSTSEC-2020-0005"
+package = "cbox"
+date = "2020-03-19"
+title = "CBox API allows to de-reference raw pointers without `unsafe` code"
+url = "https://github.com/TomBebbington/cbox-rs/issues/2"
+categories = ["memory-corruption"]
+description = """
+`CBox` and `CSemiBox` are part of the public API of the cbox crate
+and they allow to create smart pointers from raw pointers and de-reference
+them without the need of `unsafe` code.
+"""
+
+[versions]
+patched = []

crates/flatbuffers/RUSTSEC-2019-0028.toml

@@ -15,5 +15,5 @@ allows to violate these requirements and invoke undefined behaviour in safe code
 "flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"]
 
 [versions]
-patched = []
+patched = [">= 0.6.1"]
 unaffected = ["< 0.4.0"]