From c8a2c774a33746c766f577d229678a0d95b07379 Mon Sep 17 00:00:00 2001 From: Chris Fallin Date: Sat, 22 May 2021 08:03:45 -0700 Subject: [PATCH] Add RUSTSEC notice for CVE-2021-32629, a Cranelift miscompilation bug. (#918) --- crates/cranelift-codegen/RUSTSEC-0000-0000.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 crates/cranelift-codegen/RUSTSEC-0000-0000.md diff --git a/crates/cranelift-codegen/RUSTSEC-0000-0000.md b/crates/cranelift-codegen/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..92f79af --- /dev/null +++ b/crates/cranelift-codegen/RUSTSEC-0000-0000.md @@ -0,0 +1,28 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "cranelift-codegen" +date = "2021-05-21" +url = "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5" +categories = ["code-execution", "memory-corruption", "memory-exposure"] +keywords = ["miscompile", "sandbox", "wasm"] +aliases = ["CVE-2021-32629"] + +[versions] +patched = [">= 0.73.1", ">= 0.74"] + +[affected] +arch = ["x86"] +``` + +# Memory access due to code generation flaw in Cranelift module + +There is a bug in 0.73.0 of the Cranelift x64 backend that can create a +scenario that could result in a potential sandbox escape in a WebAssembly +module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1 +or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0 +should update to 0.73.1 or 0.74 if they were not using the old default backend. + +More details can be found in the GitHub Security Advisory at: + +