From ce9b3be5b30406397da4ada0cea12a21f9e1f979 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eduardo=20S=C3=A1nchez=20Mu=C3=B1oz?= Date: Thu, 19 Mar 2020 20:19:21 +0100 Subject: [PATCH 1/8] Add advisory for cbox --- crates/cbox/RUSTSEC-0000-0000.toml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 crates/cbox/RUSTSEC-0000-0000.toml diff --git a/crates/cbox/RUSTSEC-0000-0000.toml b/crates/cbox/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..b5b71f0 --- /dev/null +++ b/crates/cbox/RUSTSEC-0000-0000.toml @@ -0,0 +1,15 @@ +[advisory] +id = "RUSTSEC-0000-0000" +package = "cbox" +date = "2020-03-19" +title = "CBox API allows to de-reference raw pointers without `unsafe` code" +url = "https://github.com/TomBebbington/cbox-rs/issues/2" +categories = ["memory-corruption"] +description = """ +`CBox` and `CSemiBox` are part of the public API of the cbox crate +and they allow to create smart pointers from raw pointers and de-reference +them without the need of `unsafe` code. +""" + +[versions] +patched = [] From ca7a01db1200ec71a664d557dc32bb2c7ce49d17 Mon Sep 17 00:00:00 2001 From: Paul Hummer Date: Thu, 19 Mar 2020 15:42:02 -0600 Subject: [PATCH 2/8] fix: update patched version for 2019-0028 This patch updates the `RUSTSEC-2019-0028` advisory to show a patched version is available. The patch was added [in PR 5554](https://github.com/google/flatbuffers/pull/5554), and released with version `0.6.1`. --- crates/flatbuffers/RUSTSEC-2019-0028.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/flatbuffers/RUSTSEC-2019-0028.toml b/crates/flatbuffers/RUSTSEC-2019-0028.toml index 55e1353..0d971fc 100644 --- a/crates/flatbuffers/RUSTSEC-2019-0028.toml +++ b/crates/flatbuffers/RUSTSEC-2019-0028.toml @@ -15,5 +15,5 @@ allows to violate these requirements and invoke undefined behaviour in safe code "flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"] [versions] -patched = [] +patched = [">= 0.6.1"] unaffected = ["< 0.4.0"] From da46c5463766115492b5a251ebeadd8bb67ba352 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Mon, 23 Mar 2020 09:25:44 -0700 Subject: [PATCH 3/8] Assign RUSTSEC-2020-0005 to cbox Original PR: https://github.com/RustSec/advisory-db/pull/246 --- crates/cbox/{RUSTSEC-0000-0000.toml => RUSTSEC-2020-0005.toml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename crates/cbox/{RUSTSEC-0000-0000.toml => RUSTSEC-2020-0005.toml} (94%) diff --git a/crates/cbox/RUSTSEC-0000-0000.toml b/crates/cbox/RUSTSEC-2020-0005.toml similarity index 94% rename from crates/cbox/RUSTSEC-0000-0000.toml rename to crates/cbox/RUSTSEC-2020-0005.toml index b5b71f0..8052170 100644 --- a/crates/cbox/RUSTSEC-0000-0000.toml +++ b/crates/cbox/RUSTSEC-2020-0005.toml @@ -1,5 +1,5 @@ [advisory] -id = "RUSTSEC-0000-0000" +id = "RUSTSEC-2020-0005" package = "cbox" date = "2020-03-19" title = "CBox API allows to de-reference raw pointers without `unsafe` code" From 3c71342be31f4a7cd6ff376f6877dbafb5bfd250 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Tue, 24 Mar 2020 15:27:18 +0100 Subject: [PATCH 4/8] Mention CVSS field in template (see #248) --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 871ebd6..9da1d59 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,10 @@ url = "https://github.com/mystuff/mycrate/issues/123" # "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation" categories = ["crypto-failure"] +# Optional: a Common Vulnerability Scoring System score. More information +# can be found on the CVSS website, https://www.first.org/cvss/. +#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + # Freeform keywords which describe this vulnerability, similar to Cargo (optional) keywords = ["ssl", "mitm"] From 2a32306fa8101ad25a42d06cd23ca7dd7a98760e Mon Sep 17 00:00:00 2001 From: Nick Fitzgerald Date: Tue, 24 Mar 2020 14:12:17 -0700 Subject: [PATCH 5/8] bumpalo: Report memory exposure bug in realloc --- crates/bumpalo/RUSTSEC-0000-0000.toml | 42 +++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 crates/bumpalo/RUSTSEC-0000-0000.toml diff --git a/crates/bumpalo/RUSTSEC-0000-0000.toml b/crates/bumpalo/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..adf9eec --- /dev/null +++ b/crates/bumpalo/RUSTSEC-0000-0000.toml @@ -0,0 +1,42 @@ +[advisory] +id = "RUSTSEC-0000-0000" +package = "bumpalo" +date = "2020-03-24" +title = "Flaw in `realloc` allows reading unknown memory" +url = "https://github.com/fitzgen/bumpalo/issues/69" +categories = ["memory-exposure"] +description = """ +When `realloc`ing, if we allocate new space, we need to copy the old +allocation's bytes into the new space. There are `old_size` number of bytes in +the old allocation, but we were accidentally copying `new_size` number of bytes, +which could lead to copying bytes into the realloc'd space from past the chunk +that we're bump allocating out of, from unknown memory. + +If an attacker can cause `realloc`s, and can read the `realoc`ed data back, +this could allow them to read things from other regions of memory that they +shouldn't be able to. For example, if some crypto keys happened to live in +memory right after a chunk we were bump allocating out of, this could allow +the attacker to read the crypto keys. + +Beyond just fixing the bug and adding a regression test, I've also taken two +additional steps: + +1. While we were already running the testsuite under `valgrind` in CI, because + `valgrind` exits with the same code that the program did, if there are + invalid reads/writes that happen not to trigger a segfault, the program can + still exit OK and we will be none the wiser. I've enabled the + `--error-exitcode=1` flag for `valgrind` in CI so that tests eagerly fail + in these scenarios. + +2. I've written a quickcheck test to exercise `realloc`. Without the bug fix + in this patch, this quickcheck immediately triggers invalid reads when run + under `valgrind`. We didn't previously have quickchecks that exercised + `realloc` beacuse `realloc` isn't publicly exposed directly, and instead + can only be indirectly called. This new quickcheck test exercises `realloc` + via `bumpalo::collections::Vec::resize` and + `bumpalo::collections::Vec::shrink_to_fit` calls. +""" + +[versions] +patched = [">= 3.2.1"] +unaffected = ["< 3.0.0"] From ab9cad4eba8bfa0d3bbf0dead17d2d745d9658a6 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Tue, 24 Mar 2020 14:21:56 -0700 Subject: [PATCH 6/8] Assign RUSTSEC-2020-0006 to bumpalo Original PR: https://github.com/RustSec/advisory-db/pull/251 --- .../bumpalo/{RUSTSEC-0000-0000.toml => RUSTSEC-2020-0006.toml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename crates/bumpalo/{RUSTSEC-0000-0000.toml => RUSTSEC-2020-0006.toml} (98%) diff --git a/crates/bumpalo/RUSTSEC-0000-0000.toml b/crates/bumpalo/RUSTSEC-2020-0006.toml similarity index 98% rename from crates/bumpalo/RUSTSEC-0000-0000.toml rename to crates/bumpalo/RUSTSEC-2020-0006.toml index adf9eec..d933c55 100644 --- a/crates/bumpalo/RUSTSEC-0000-0000.toml +++ b/crates/bumpalo/RUSTSEC-2020-0006.toml @@ -1,5 +1,5 @@ [advisory] -id = "RUSTSEC-0000-0000" +id = "RUSTSEC-2020-0006" package = "bumpalo" date = "2020-03-24" title = "Flaw in `realloc` allows reading unknown memory" From 70389f6a25cca930d3d06f28eec2de3dd077c0c8 Mon Sep 17 00:00:00 2001 From: Alexander Payne Date: Fri, 27 Mar 2020 16:10:15 -0600 Subject: [PATCH 7/8] Report memory management error in `bitvec` See myrrlyn/bitvec#55 --- crates/bitvec/RUSTSEC-0000-0000.toml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 crates/bitvec/RUSTSEC-0000-0000.toml diff --git a/crates/bitvec/RUSTSEC-0000-0000.toml b/crates/bitvec/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..c33c071 --- /dev/null +++ b/crates/bitvec/RUSTSEC-0000-0000.toml @@ -0,0 +1,16 @@ +[advisory] +id = "RUSTSEC-0000-0000" +package = "bitvec" +date = "2020-03-27" +title = "use-after or double free of allocated memory" +url = "https://github.com/myrrlyn/bitvec/issues/55" +categories = ["memory-corruption"] +description = """ +Conversion of `BitVec` to `BitBox` did not account for allocation movement. + +The flaw was corrected by using the address after resizing, rather than the original base address. +""" +functions = { "bitvec::vec::BitVec::into_boxed_bitslice" = ["< 0.17.4, >= 0.11.0"] } +[versions] +patched = [">= 0.17.4"] +unaffected = ["< 0.11.0"] From 4de36fe70a56296d6718009738ef0a890402462b Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Mon, 30 Mar 2020 12:45:14 -0700 Subject: [PATCH 8/8] Assign RUSTSEC-2020-0007 to bitvec Original PR: https://github.com/RustSec/advisory-db/pull/253 --- .../{RUSTSEC-0000-0000.toml => RUSTSEC-2020-0007.toml} | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) rename crates/bitvec/{RUSTSEC-0000-0000.toml => RUSTSEC-2020-0007.toml} (79%) diff --git a/crates/bitvec/RUSTSEC-0000-0000.toml b/crates/bitvec/RUSTSEC-2020-0007.toml similarity index 79% rename from crates/bitvec/RUSTSEC-0000-0000.toml rename to crates/bitvec/RUSTSEC-2020-0007.toml index c33c071..caf27cb 100644 --- a/crates/bitvec/RUSTSEC-0000-0000.toml +++ b/crates/bitvec/RUSTSEC-2020-0007.toml @@ -1,5 +1,5 @@ [advisory] -id = "RUSTSEC-0000-0000" +id = "RUSTSEC-2020-0007" package = "bitvec" date = "2020-03-27" title = "use-after or double free of allocated memory" @@ -10,7 +10,10 @@ Conversion of `BitVec` to `BitBox` did not account for allocation movement. The flaw was corrected by using the address after resizing, rather than the original base address. """ -functions = { "bitvec::vec::BitVec::into_boxed_bitslice" = ["< 0.17.4, >= 0.11.0"] } + +[affected.functions] +"bitvec::vec::BitVec::into_boxed_bitslice" = ["< 0.17.4, >= 0.11.0"] + [versions] patched = [">= 0.17.4"] unaffected = ["< 0.11.0"]