From 67b08c24a46d393527685a6655b054396d5e8efa Mon Sep 17 00:00:00 2001 From: phosphorus Date: Mon, 16 Sep 2019 00:12:52 +0800 Subject: [PATCH 1/4] added UAF within portaudio-rs --- crates/portaudio-rs/RUSTSEC-0000-0000.toml | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 crates/portaudio-rs/RUSTSEC-0000-0000.toml diff --git a/crates/portaudio-rs/RUSTSEC-0000-0000.toml b/crates/portaudio-rs/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..f9f7de2 --- /dev/null +++ b/crates/portaudio-rs/RUSTSEC-0000-0000.toml @@ -0,0 +1,29 @@ +[advisory] +id = "RUSTSEC-0000-0000" + +package = "portaudio-rs" + +date = "2017-9-14" + +# Single-line description of a vulnerability (mandatory) +title = "Stream callback function is not unwind safe" + +# Enter a short-form description of the vulnerability here (mandatory) +description = """ +Affected versions of this crate is not panic safe within callback functions `stream_callback` and `stream_finished_callback`. + +The call to user-provided closure might panic before a `mem::forget` call, which then causes a use after free that grants attacker to control the callback function pointer. + +This allows an attacker to construct an arbitrary code execution . + +The flaw was reported by Phosphorus15. +""" + +# yet not patched +patched_versions = ["> 0.3.1"] + +url = "https://github.com/mvdnes/portaudio-rs/issues/20" + +categories = ["code-execution", "memory-corruption"] + +keywords = ["audio", "ffi"] From 13ea84ced386d20e7e24499d1877f3e9b0d62fca Mon Sep 17 00:00:00 2001 From: phosphorus Date: Mon, 16 Sep 2019 00:22:41 +0800 Subject: [PATCH 2/4] add double free within linea --- crates/linea/RUSTSEC-0000-0000.toml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 crates/linea/RUSTSEC-0000-0000.toml diff --git a/crates/linea/RUSTSEC-0000-0000.toml b/crates/linea/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..4d34636 --- /dev/null +++ b/crates/linea/RUSTSEC-0000-0000.toml @@ -0,0 +1,25 @@ +[advisory] +id = "RUSTSEC-0000-0000" + +package = "linea" + +date = "2019-9-14" + +title = "`Matrix::zip_elements` causes double free" + +description = """ +Affected versions of this crate did not properly implements the `Matrix::zip_elements` method, which causes an double free when the given trait implementation might panic. + +This allows an attacker to corrupt or take control of the memory. + +The flaw was corrected by Phosphorus15. +""" + +# yet not merged +patched_versions = ["> 0.9.4"] + +url = "https://github.com/strake/linea.rs/issues/2" + +categories = ["memory-corruption"] + +keywords = ["double free"] From c081847f6d39166217c1199215c46bba1185e6b5 Mon Sep 17 00:00:00 2001 From: phosphorus Date: Mon, 16 Sep 2019 00:27:24 +0800 Subject: [PATCH 3/4] Update RUSTSEC-0000-0000.toml --- crates/linea/RUSTSEC-0000-0000.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/linea/RUSTSEC-0000-0000.toml b/crates/linea/RUSTSEC-0000-0000.toml index 4d34636..f00d41f 100644 --- a/crates/linea/RUSTSEC-0000-0000.toml +++ b/crates/linea/RUSTSEC-0000-0000.toml @@ -3,7 +3,7 @@ id = "RUSTSEC-0000-0000" package = "linea" -date = "2019-9-14" +date = "2019-09-14" title = "`Matrix::zip_elements` causes double free" From 473e6a8f5ae4f25d1d072f335ff0ee7b0f75071e Mon Sep 17 00:00:00 2001 From: phosphorus Date: Mon, 16 Sep 2019 00:27:38 +0800 Subject: [PATCH 4/4] Update RUSTSEC-0000-0000.toml --- crates/portaudio-rs/RUSTSEC-0000-0000.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/portaudio-rs/RUSTSEC-0000-0000.toml b/crates/portaudio-rs/RUSTSEC-0000-0000.toml index f9f7de2..688088c 100644 --- a/crates/portaudio-rs/RUSTSEC-0000-0000.toml +++ b/crates/portaudio-rs/RUSTSEC-0000-0000.toml @@ -3,7 +3,7 @@ id = "RUSTSEC-0000-0000" package = "portaudio-rs" -date = "2017-9-14" +date = "2017-09-14" # Single-line description of a vulnerability (mandatory) title = "Stream callback function is not unwind safe"