From 90d22af332cea13b560416c194b137706008da40 Mon Sep 17 00:00:00 2001
From: KizzyCode <development@kizzycode.de>
Date: Fri, 21 Jun 2019 23:54:40 +0200
Subject: [PATCH 1/3] Create RUSTSEC-0000-0000.toml

Added vulnerability TOML for https://github.com/KizzyCode/asn1_der/issues/1
---
 crates/asn1_der/RUSTSEC-0000-0000.toml | 60 ++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 crates/asn1_der/RUSTSEC-0000-0000.toml

diff --git a/crates/asn1_der/RUSTSEC-0000-0000.toml b/crates/asn1_der/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..df2aef2
--- /dev/null
+++ b/crates/asn1_der/RUSTSEC-0000-0000.toml
@@ -0,0 +1,60 @@
+[advisory]
+# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN"
+# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs.
+id = "RUSTSEC-0000-0000"
+
+# Name of the affected crate (mandatory)
+package = "asn1_der"
+
+# Disclosure date of the advisory as an RFC 3339 date (mandatory)
+date = "2019-06-13"
+
+# Single-line description of a vulnerability (mandatory)
+title = "Processing of maliciously crafted length fields causes memory allocation crashes"
+
+# Enter a short-form description of the vulnerability here (mandatory)
+description = """
+Affected versions of this crate tried to preallocate a vector for an arbitrary amount of bytes announced by the ASN.1-DER length field without further checks.
+
+This allows an attacker to trigger a SIGABRT by creating length fields that announce more bytes than the allocator can provide.
+ 
+The flaw was corrected by not preallocating memory.
+"""
+
+# Versions which include fixes for this vulnerability (mandatory)
+patched_versions = [">= 0.6.2"]
+
+# Versions which were never vulnerable (optional)
+unaffected_versions = ["< 0.6.2"]
+
+# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
+# a change log entry, or a blogpost announcing the release (optional)
+url = "https://github.com/KizzyCode/asn1_der/issues/1"
+
+# Keywords which describe this vulnerability, similar to Cargo (optional)
+keywords = ["dos"]
+
+# Vulnerability aliases, e.g. CVE IDs (optional but recommended)
+# Request a CVE for your RustSec vulns: https://iwantacve.org/
+#aliases = ["CVE-2018-XXXX"]
+
+# References to related vulnerabilities (optional)
+# e.g. CVE for a C library wrapped by a -sys crate)
+#references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]
+
+# CPU architectures impacted by this vulnerability (optional)
+# For a list of CPU architecture strings, see the "platforms" crate:
+# <https://docs.rs/platforms/latest/platforms/target/enum.Arch.html>
+#affected_arch = ["x86", "x86_64"]
+
+# Operating systems impacted by this vulnerability (optional)
+# For a list of OS strings, see the "platforms" crate:
+# <https://docs.rs/platforms/latest/platforms/target/enum.OS.html>
+#affected_os = ["windows"]
+
+# List of canonical paths to vulnerable functions (optional) 
+# The path syntax is cratename::path::to::function, without any
+# return type or parameters. More information:
+# <https://github.com/RustSec/advisory-db/issues/68>
+# For example, for RUSTSEC-2018-0003, this would look like:
+#affected_functions = ["smallvec::SmallVec::insert_many"]

From 6117c447119b1d184475bd29bc58041fd2cad410 Mon Sep 17 00:00:00 2001
From: KizzyCode <development@kizzycode.de>
Date: Sat, 22 Jun 2019 00:05:04 +0200
Subject: [PATCH 2/3] Removed erroneous unaffected versions

---
 crates/asn1_der/RUSTSEC-0000-0000.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crates/asn1_der/RUSTSEC-0000-0000.toml b/crates/asn1_der/RUSTSEC-0000-0000.toml
index df2aef2..e38e794 100644
--- a/crates/asn1_der/RUSTSEC-0000-0000.toml
+++ b/crates/asn1_der/RUSTSEC-0000-0000.toml
@@ -10,7 +10,7 @@ package = "asn1_der"
 date = "2019-06-13"
 
 # Single-line description of a vulnerability (mandatory)
-title = "Processing of maliciously crafted length fields causes memory allocation crashes"
+title = "Processing of maliciously crafted length fields causes memory allocation SIGABRTs"
 
 # Enter a short-form description of the vulnerability here (mandatory)
 description = """
@@ -25,7 +25,7 @@ The flaw was corrected by not preallocating memory.
 patched_versions = [">= 0.6.2"]
 
 # Versions which were never vulnerable (optional)
-unaffected_versions = ["< 0.6.2"]
+#unaffected_versions = ["< 0.6.2"]
 
 # URL to a long-form description of this issue, e.g. a GitHub issue/PR,
 # a change log entry, or a blogpost announcing the release (optional)

From 2bc98060424f96486c240a22a946e96b48be9467 Mon Sep 17 00:00:00 2001
From: KizzyCode <development@kizzycode.de>
Date: Sat, 22 Jun 2019 00:17:25 +0200
Subject: [PATCH 3/3] Removed comments

---
 crates/asn1_der/RUSTSEC-0000-0000.toml | 38 --------------------------
 1 file changed, 38 deletions(-)

diff --git a/crates/asn1_der/RUSTSEC-0000-0000.toml b/crates/asn1_der/RUSTSEC-0000-0000.toml
index e38e794..7585508 100644
--- a/crates/asn1_der/RUSTSEC-0000-0000.toml
+++ b/crates/asn1_der/RUSTSEC-0000-0000.toml
@@ -1,18 +1,12 @@
 [advisory]
-# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN"
-# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs.
 id = "RUSTSEC-0000-0000"
 
-# Name of the affected crate (mandatory)
 package = "asn1_der"
 
-# Disclosure date of the advisory as an RFC 3339 date (mandatory)
 date = "2019-06-13"
 
-# Single-line description of a vulnerability (mandatory)
 title = "Processing of maliciously crafted length fields causes memory allocation SIGABRTs"
 
-# Enter a short-form description of the vulnerability here (mandatory)
 description = """
 Affected versions of this crate tried to preallocate a vector for an arbitrary amount of bytes announced by the ASN.1-DER length field without further checks.
 
@@ -21,40 +15,8 @@ This allows an attacker to trigger a SIGABRT by creating length fields that anno
 The flaw was corrected by not preallocating memory.
 """
 
-# Versions which include fixes for this vulnerability (mandatory)
 patched_versions = [">= 0.6.2"]
 
-# Versions which were never vulnerable (optional)
-#unaffected_versions = ["< 0.6.2"]
-
-# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
-# a change log entry, or a blogpost announcing the release (optional)
 url = "https://github.com/KizzyCode/asn1_der/issues/1"
 
-# Keywords which describe this vulnerability, similar to Cargo (optional)
 keywords = ["dos"]
-
-# Vulnerability aliases, e.g. CVE IDs (optional but recommended)
-# Request a CVE for your RustSec vulns: https://iwantacve.org/
-#aliases = ["CVE-2018-XXXX"]
-
-# References to related vulnerabilities (optional)
-# e.g. CVE for a C library wrapped by a -sys crate)
-#references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]
-
-# CPU architectures impacted by this vulnerability (optional)
-# For a list of CPU architecture strings, see the "platforms" crate:
-# <https://docs.rs/platforms/latest/platforms/target/enum.Arch.html>
-#affected_arch = ["x86", "x86_64"]
-
-# Operating systems impacted by this vulnerability (optional)
-# For a list of OS strings, see the "platforms" crate:
-# <https://docs.rs/platforms/latest/platforms/target/enum.OS.html>
-#affected_os = ["windows"]
-
-# List of canonical paths to vulnerable functions (optional) 
-# The path syntax is cratename::path::to::function, without any
-# return type or parameters. More information:
-# <https://github.com/RustSec/advisory-db/issues/68>
-# For example, for RUSTSEC-2018-0003, this would look like:
-#affected_functions = ["smallvec::SmallVec::insert_many"]