diff --git a/README.md b/README.md index 871ebd6..9da1d59 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,10 @@ url = "https://github.com/mystuff/mycrate/issues/123" # "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation" categories = ["crypto-failure"] +# Optional: a Common Vulnerability Scoring System score. More information +# can be found on the CVSS website, https://www.first.org/cvss/. +#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + # Freeform keywords which describe this vulnerability, similar to Cargo (optional) keywords = ["ssl", "mitm"] diff --git a/crates/bitvec/RUSTSEC-2020-0007.toml b/crates/bitvec/RUSTSEC-2020-0007.toml new file mode 100644 index 0000000..caf27cb --- /dev/null +++ b/crates/bitvec/RUSTSEC-2020-0007.toml @@ -0,0 +1,19 @@ +[advisory] +id = "RUSTSEC-2020-0007" +package = "bitvec" +date = "2020-03-27" +title = "use-after or double free of allocated memory" +url = "https://github.com/myrrlyn/bitvec/issues/55" +categories = ["memory-corruption"] +description = """ +Conversion of `BitVec` to `BitBox` did not account for allocation movement. + +The flaw was corrected by using the address after resizing, rather than the original base address. +""" + +[affected.functions] +"bitvec::vec::BitVec::into_boxed_bitslice" = ["< 0.17.4, >= 0.11.0"] + +[versions] +patched = [">= 0.17.4"] +unaffected = ["< 0.11.0"] diff --git a/crates/bumpalo/RUSTSEC-2020-0006.toml b/crates/bumpalo/RUSTSEC-2020-0006.toml new file mode 100644 index 0000000..d933c55 --- /dev/null +++ b/crates/bumpalo/RUSTSEC-2020-0006.toml @@ -0,0 +1,42 @@ +[advisory] +id = "RUSTSEC-2020-0006" +package = "bumpalo" +date = "2020-03-24" +title = "Flaw in `realloc` allows reading unknown memory" +url = "https://github.com/fitzgen/bumpalo/issues/69" +categories = ["memory-exposure"] +description = """ +When `realloc`ing, if we allocate new space, we need to copy the old +allocation's bytes into the new space. There are `old_size` number of bytes in +the old allocation, but we were accidentally copying `new_size` number of bytes, +which could lead to copying bytes into the realloc'd space from past the chunk +that we're bump allocating out of, from unknown memory. + +If an attacker can cause `realloc`s, and can read the `realoc`ed data back, +this could allow them to read things from other regions of memory that they +shouldn't be able to. For example, if some crypto keys happened to live in +memory right after a chunk we were bump allocating out of, this could allow +the attacker to read the crypto keys. + +Beyond just fixing the bug and adding a regression test, I've also taken two +additional steps: + +1. While we were already running the testsuite under `valgrind` in CI, because + `valgrind` exits with the same code that the program did, if there are + invalid reads/writes that happen not to trigger a segfault, the program can + still exit OK and we will be none the wiser. I've enabled the + `--error-exitcode=1` flag for `valgrind` in CI so that tests eagerly fail + in these scenarios. + +2. I've written a quickcheck test to exercise `realloc`. Without the bug fix + in this patch, this quickcheck immediately triggers invalid reads when run + under `valgrind`. We didn't previously have quickchecks that exercised + `realloc` beacuse `realloc` isn't publicly exposed directly, and instead + can only be indirectly called. This new quickcheck test exercises `realloc` + via `bumpalo::collections::Vec::resize` and + `bumpalo::collections::Vec::shrink_to_fit` calls. +""" + +[versions] +patched = [">= 3.2.1"] +unaffected = ["< 3.0.0"] diff --git a/crates/cbox/RUSTSEC-2020-0005.toml b/crates/cbox/RUSTSEC-2020-0005.toml new file mode 100644 index 0000000..8052170 --- /dev/null +++ b/crates/cbox/RUSTSEC-2020-0005.toml @@ -0,0 +1,15 @@ +[advisory] +id = "RUSTSEC-2020-0005" +package = "cbox" +date = "2020-03-19" +title = "CBox API allows to de-reference raw pointers without `unsafe` code" +url = "https://github.com/TomBebbington/cbox-rs/issues/2" +categories = ["memory-corruption"] +description = """ +`CBox` and `CSemiBox` are part of the public API of the cbox crate +and they allow to create smart pointers from raw pointers and de-reference +them without the need of `unsafe` code. +""" + +[versions] +patched = [] diff --git a/crates/flatbuffers/RUSTSEC-2019-0028.toml b/crates/flatbuffers/RUSTSEC-2019-0028.toml index 55e1353..0d971fc 100644 --- a/crates/flatbuffers/RUSTSEC-2019-0028.toml +++ b/crates/flatbuffers/RUSTSEC-2019-0028.toml @@ -15,5 +15,5 @@ allows to violate these requirements and invoke undefined behaviour in safe code "flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"] [versions] -patched = [] +patched = [">= 0.6.1"] unaffected = ["< 0.4.0"]