Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Properly disclose #148 and #149 #156

Closed
Shnatsel opened this issue Jun 29, 2019 · 12 comments
Closed

Properly disclose #148 and #149 #156

Shnatsel opened this issue Jun 29, 2019 · 12 comments

Comments

@Shnatsel
Copy link

Recently reported #148 and #149 are memory safety issues and may be exploitable. They need to be properly disclosed:

  1. Identify the affected crate versions
  2. Yank vulnerable versions from crates.io
  3. File an advisory in https://github.com/RustSec/advisory-db

I have tried to track down the commits that introduced these bugs:

The testcase I'm using to check for #149 is as follows:

let mut v: SmallVec<[u8; 2]> = SmallVec::new();
v.push(1);
v.push(2);
v.push(3);
assert!(v.spilled());
v.clear();
// Shrink to inline.
v.grow(2);
assert_eq!(v.capacity(), 2);
@Shnatsel
Copy link
Author

I can handle the advisories once the affected crate versions are determined

@Shnatsel
Copy link
Author

Advisory for #148 is pending: rustsec/advisory-db#119

Still not entirely sure on the affected versions range for #149, but 0.6.3 and onwards are definitely affected, so please yank them.

@dvdplm
Copy link

dvdplm commented Jun 30, 2019

@Shnatsel do you know if the advisories to RustSec find their way into cargo audit automatically or do we need any further action there?

@Shnatsel
Copy link
Author

Once the PR for the advisory DB is merged it gets into cargo audit automatically. No further action is needed.

@lucab
Copy link

lucab commented Jul 3, 2019

For reference, RustSec advisories are also wired into @dependabot. This is what an automated security bumps looks like: coreos/afterburn#239.

@Phosphorus15
Copy link

I've located the commit that introduced issue #149 , i.e. 675221e , in which smallvec::grow started to allow for shrinking back onto the stack. It is also clear that this commit was made after version 0.6.2 from the network graph, also, you'll be able to check version 0.6.2 under revision d41b4eb. (which I've tested to be okay 😉 )

@Shnatsel
Copy link
Author

@Phosphorus15 I do not believe commit 675221e is the one - it only modifies benchmarks, not the actual code.

@Shnatsel
Copy link
Author

Advisory for #149 is up for review: rustsec/advisory-db#127

@jdm
Copy link
Member

jdm commented Jul 19, 2019

Thanks. Sorry for dropping the ball here.

@Shnatsel
Copy link
Author

Shnatsel commented Jul 19, 2019

@jdm please yank versions 0.6.3 to 0.6.9 inclusive from crates.io. That way anyone using them will be upgraded to the fixed 0.6.10 automatically. It's the one part I cannot handle by myself.

@jdm
Copy link
Member

jdm commented Jul 19, 2019

Done.

@Shnatsel
Copy link
Author

Security advisory is merged too, so closing this. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants