From f8ff9cfc6fe246920404186a5628d4c992e4b069 Mon Sep 17 00:00:00 2001 From: Jonathan Foote Date: Fri, 24 Jan 2020 15:27:56 -0500 Subject: [PATCH 1/3] Add lucet-runtime-internals sigstack allocation vuln advisory --- .../RUSTSEC-0000-0000.toml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml diff --git a/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml b/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml new file mode 100644 index 000000000..11290379b --- /dev/null +++ b/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml @@ -0,0 +1,24 @@ +[advisory] +id = "RUSTSEC-0000-0000" + +package = "lucet-runtime-internals" + +date = "2020-01-24" + +title = "sigstack allocation bug can cause memory corruption or leak" + +description = """ +An embedding using affected versions of lucet-runtime configured to use +non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode +without optimizations, could leak data from the signal handler stack to guest +programs. This can potentially cause data from the embedding host to leak to +guest programs or cause corruption of guest program memory. + +This flaw was resolved by correcting the sigstack allocation logic. +""" + +patched_versions = ["< 0.5.0, >= 0.4.3", “>= 0.5.1”] + +url = "https://github.com/bytecodealliance/lucet/pull/401” + +categories = ["memory-corruption", "memory-exposure"] From 3f1f71de9bd8486ce83902a911b7da4d7a49283e Mon Sep 17 00:00:00 2001 From: Jonathan Foote Date: Fri, 24 Jan 2020 15:35:58 -0500 Subject: [PATCH 2/3] Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml Correct quote characters Co-Authored-By: Alex Gaynor --- crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml b/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml index 11290379b..c17c651b1 100644 --- a/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml +++ b/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml @@ -17,7 +17,7 @@ guest programs or cause corruption of guest program memory. This flaw was resolved by correcting the sigstack allocation logic. """ -patched_versions = ["< 0.5.0, >= 0.4.3", “>= 0.5.1”] +patched_versions = ["< 0.5.0, >= 0.4.3", ">= 0.5.1"] url = "https://github.com/bytecodealliance/lucet/pull/401” From 0271003e2ed4ea0e13effb4d631dcc87a8559ef3 Mon Sep 17 00:00:00 2001 From: Jonathan Foote Date: Fri, 24 Jan 2020 15:36:06 -0500 Subject: [PATCH 3/3] Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml Correct quote characters Co-Authored-By: Alex Gaynor --- crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml b/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml index c17c651b1..f343010e0 100644 --- a/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml +++ b/crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml @@ -19,6 +19,6 @@ This flaw was resolved by correcting the sigstack allocation logic. patched_versions = ["< 0.5.0, >= 0.4.3", ">= 0.5.1"] -url = "https://github.com/bytecodealliance/lucet/pull/401” +url = "https://github.com/bytecodealliance/lucet/pull/401" categories = ["memory-corruption", "memory-exposure"]