Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2021-07-22 22:43:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Thu Jul 22 22:43:24 2021 rev:9 rq:907608 version:20210721
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2021-07-05 22:23:13.433608699 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1899/cargo-audit-advisory-db.changes
2021-07-22 22:44:08.123139204 +0200
@@ -1,0 +2,15 @@
+Wed Jul 21 04:16:56 UTC 2021 - [email protected]
+
+- Update to version 20210721:
+ * Assigned RUSTSEC-2021-0076 to libsecp256k1 (#964)
+ * Add advisory for libsecp256k1 (#963)
+ * Assigned RUSTSEC-2021-0075 to ark-r1cs-std (#962)
+ * `ark_r1cs_std::mul_by_inverse` generated unsound constraints in versions
below `0.3.1` (#961)
+ * Revert "Hotfix #957 until we figure out what to do with it (#958)" (#960)
+ * Assigned RUSTSEC-2021-0074 to ammonia (#959)
+ * Add rust-ammonia/ammonia#142 (#956)
+ * Hotfix #957 until we figure out what to do with it (#958)
+ * Assigned RUSTSEC-2021-0073 to prost-types (#955)
+ * prost-types: Timestamp conversion overflow (#954)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20210702.tar.xz
New:
----
advisory-db-20210721.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.3GFLzY/_old 2021-07-22 22:44:08.527138677 +0200
+++ /var/tmp/diff_new_pack.3GFLzY/_new 2021-07-22 22:44:08.531138672 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20210702
+Version: 20210721
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.3GFLzY/_old 2021-07-22 22:44:08.559138635 +0200
+++ /var/tmp/diff_new_pack.3GFLzY/_new 2021-07-22 22:44:08.559138635 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20210702</param>
+ <param name="version">20210721</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20210702.tar.xz -> advisory-db-20210721.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210702/.duplicate-id-guard
new/advisory-db-20210721/.duplicate-id-guard
--- old/advisory-db-20210702/.duplicate-id-guard 2021-07-02
01:39:03.000000000 +0200
+++ new/advisory-db-20210721/.duplicate-id-guard 2021-07-13
14:47:59.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-9ae15a1aa0407b9b02ec7b965943ec1541f88b9dcd54e9ba0d27a85a7cad4811 -
+10f78efb7823f3c335f7dd815207a12473d128651d511ea71ae1a8419b59874d -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210702/.github/workflows/assign-ids.yml
new/advisory-db-20210721/.github/workflows/assign-ids.yml
--- old/advisory-db-20210702/.github/workflows/assign-ids.yml 2021-07-02
01:39:03.000000000 +0200
+++ new/advisory-db-20210721/.github/workflows/assign-ids.yml 2021-07-13
14:47:59.000000000 +0200
@@ -15,12 +15,12 @@
uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.5.0
+ key: rustsec-admin-v0.5.1
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.5.0
+ cargo install rustsec-admin --vers 0.5.1
fi
- name: Assign IDs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210702/.github/workflows/export-osv.yml
new/advisory-db-20210721/.github/workflows/export-osv.yml
--- old/advisory-db-20210702/.github/workflows/export-osv.yml 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210721/.github/workflows/export-osv.yml 2021-07-13
14:47:59.000000000 +0200
@@ -0,0 +1,30 @@
+name: Export OSV
+
+on:
+ push:
+ branches: main
+
+jobs:
+ publish-web:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ ref: osv-experimental-v0.7
+ - uses: actions/cache@v1
+ with:
+ path: ~/.cargo/bin
+ key: rustsec-admin-v0.5.1
+ - run: |
+ if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
+ cargo install rustsec-admin --vers 0.5.1
+ fi
+ mkdir -p crates
+ rustsec-admin osv crates
+ # FIXME: hack to avoid committing advisories without an ID
+ rm -f crates/RUSTSEC-0000-0000.json
+ git config user.name github-actions
+ git config user.email [email protected]
+ git add .
+ git commit -m "Update OSV exported data" || true
+ git push || true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210702/.github/workflows/publish-web.yml
new/advisory-db-20210721/.github/workflows/publish-web.yml
--- old/advisory-db-20210702/.github/workflows/publish-web.yml 2021-07-02
01:39:03.000000000 +0200
+++ new/advisory-db-20210721/.github/workflows/publish-web.yml 2021-07-13
14:47:59.000000000 +0200
@@ -14,10 +14,10 @@
- uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.5.0
+ key: rustsec-admin-v0.5.1
- run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.5.0
+ cargo install rustsec-admin --vers 0.5.1
fi
rustsec-admin web .
git config user.name github-actions
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210702/.github/workflows/validate.yml
new/advisory-db-20210721/.github/workflows/validate.yml
--- old/advisory-db-20210702/.github/workflows/validate.yml 2021-07-02
01:39:03.000000000 +0200
+++ new/advisory-db-20210721/.github/workflows/validate.yml 2021-07-13
14:47:59.000000000 +0200
@@ -16,12 +16,12 @@
uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.5.0
+ key: rustsec-admin-v0.5.1
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.5.0
+ cargo install rustsec-admin --vers 0.5.1
fi
- name: Lint advisories
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210702/crates/ammonia/RUSTSEC-2021-0074.md
new/advisory-db-20210721/crates/ammonia/RUSTSEC-2021-0074.md
--- old/advisory-db-20210702/crates/ammonia/RUSTSEC-2021-0074.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210721/crates/ammonia/RUSTSEC-2021-0074.md
2021-07-13 14:47:59.000000000 +0200
@@ -0,0 +1,39 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0074"
+package = "ammonia"
+date = "2021-07-08"
+url = "https://github.com/rust-ammonia/ammonia/pull/142";
+categories = ["format-injection"]
+keywords = ["html", "xss"]
+
+[versions]
+patched = [">= 3.1.0", ">= 2.1.3, < 3.0.0"]
+```
+
+# Incorrect handling of embedded SVG and MathML leads to mutation XSS
+
+Affected versions of this crate did not account for namespace-related parsing
+differences between HTML, SVG, and MathML. Even if the `svg` and `math`
elements
+are not allowed, the underlying HTML parser still treats them differently.
+Running cleanup without accounting for these differing namespaces resulted in
an "impossible"
+DOM, which appeared "safe" when examining the DOM tree, but when serialized
and deserialized,
+could be exploited to inject abitrary markup.
+
+To exploit this, the application using this library must allow a tag that is
parsed as raw text in HTML.
+These [elements] are:
+
+* title
+* textarea
+* xmp
+* iframe
+* noembed
+* noframes
+* plaintext
+* noscript
+* style
+* script
+
+Applications that do not explicitly allow any of these tags should not be
affected, since none are allowed by default.
+
+[elements]:
https://github.com/servo/html5ever/blob/57eb334c0ffccc6f88d563419f0fbeef6ff5741c/html5ever/src/tree_builder/rules.rs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210702/crates/ark-r1cs-std/RUSTSEC-2021-0075.md
new/advisory-db-20210721/crates/ark-r1cs-std/RUSTSEC-2021-0075.md
--- old/advisory-db-20210702/crates/ark-r1cs-std/RUSTSEC-2021-0075.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210721/crates/ark-r1cs-std/RUSTSEC-2021-0075.md
2021-07-13 14:47:59.000000000 +0200
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0075"
+package = "ark-r1cs-std"
+date = "2021-07-08"
+categories = ["crypto-failure"]
+keywords = ["r1cs", "zksnark", "arkworks"]
+url = "https://github.com/arkworks-rs/r1cs-std/pull/70";
+
+[versions]
+patched = [">= 0.3.1"]
+
+[affected]
+functions = { "ark_r1cs_std::FieldVar::mul_by_inverse" = ["< 0.3.0"] }
+```
+
+# Flaw in `FieldVar::mul_by_inverse` allows unsound R1CS constraint systems
+
+Versions `0.2.0` to `0.3.0` of ark-r1cs-std did not enforce any constraints in
the `FieldVar::mul_by_inverse` method, allowing a malicious prover to produce
an unsound proof that passes all verifier checks.
+This method was used primarily in scalar multiplication for
[`short_weierstrass::ProjectiveVar`](https://docs.rs/ark-r1cs-std/0.3.0/ark_r1cs_std/groups/curves/short_weierstrass/struct.ProjectiveVar.html).
+
+This bug was fixed in commit `47ddbaa`, and was released as part of version
`0.3.1` on `crates.io`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210702/crates/libsecp256k1/RUSTSEC-2021-0076.md
new/advisory-db-20210721/crates/libsecp256k1/RUSTSEC-2021-0076.md
--- old/advisory-db-20210702/crates/libsecp256k1/RUSTSEC-2021-0076.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210721/crates/libsecp256k1/RUSTSEC-2021-0076.md
2021-07-13 14:47:59.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0076"
+package = "libsecp256k1"
+date = "2021-07-13"
+url = "https://github.com/paritytech/libsecp256k1/pull/67";
+categories = ["crypto-failure"]
+[versions]
+patched = [">= 0.5.0"]
+```
+
+# libsecp256k1 allows overflowing signatures
+
+libsecp256k1 accepts signatures whose R or S parameter is larger than the
+secp256k1 curve order, which differs from other implementations. This could
+lead to invalid signatures being verified.
+
+The error is resolved in 0.5.0 by adding a `check_overflow` flag.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210702/crates/prost-types/RUSTSEC-2021-0073.md
new/advisory-db-20210721/crates/prost-types/RUSTSEC-2021-0073.md
--- old/advisory-db-20210702/crates/prost-types/RUSTSEC-2021-0073.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210721/crates/prost-types/RUSTSEC-2021-0073.md
2021-07-13 14:47:59.000000000 +0200
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0073"
+package = "prost-types"
+date = "2021-07-08"
+url = "https://github.com/tokio-rs/prost/issues/438";
+categories = ["denial-of-service"]
+keywords = ["denial-of-service"]
+
+[versions]
+patched = [">= 0.8.0"]
+
+[affected]
+functions = { "prost_types::Timestamp::Into<SystemTime>" = ["<= 0.7.0"] }
+```
+
+# Conversion from `prost_types::Timestamp` to `SystemTime` can cause an
overflow and panic
+
+Affected versions of this crate contained a bug in which untrusted input could
cause an overflow and panic when converting a `Timestamp` to `SystemTime`.
+
+It is recommended to upgrade to `prost-types` v0.8 and switch the usage of
`From<Timestamp> for SystemTime` to `TryFrom<Timestamp> for SystemTime`.
+
+See [#438] for more information.
+
+[#438]: https://github.com/tokio-rs/prost/issues/438
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210702/crates/tokio/RUSTSEC-2021-0072.md
new/advisory-db-20210721/crates/tokio/RUSTSEC-2021-0072.md
--- old/advisory-db-20210702/crates/tokio/RUSTSEC-2021-0072.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210721/crates/tokio/RUSTSEC-2021-0072.md 2021-07-13
14:47:59.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0072"
+package = "tokio"
+date = "2021-07-07"
+url = "https://github.com/tokio-rs/tokio/issues/3929";
+categories = ["memory-corruption"]
+keywords = ["race condition", "send"]
+
+[affected]
+functions = { "tokio::task::JoinHandle::abort" = ["<= 1.8.0, >= 0.3.0"] }
+
+[versions]
+patched = [">= 1.5.1, < 1.6.0", ">= 1.6.3, < 1.7.0", ">= 1.7.2, < 1.8.0", ">=
1.8.1"]
+unaffected = ["< 0.3.0"]
+```
+
+# Task dropped in wrong thread when aborting `LocalSet` task
+
+When aborting a task with `JoinHandle::abort`, the future is dropped in the
+thread calling abort if the task is not currently being executed. This is
+incorrect for tasks spawned on a `LocalSet`.
+
+This can easily result in race conditions as many projects use `Rc` or
`RefCell`
+in their Tokio tasks for better performance.
+
+See [tokio#3929][issue] for more details.
+
+[issue]: https://github.com/tokio-rs/tokio/issues/3929
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210702/rust/std/CVE-2017-20004.md
new/advisory-db-20210721/rust/std/CVE-2017-20004.md
--- old/advisory-db-20210702/rust/std/CVE-2017-20004.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210721/rust/std/CVE-2017-20004.md 2021-07-13
14:47:59.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "CVE-2017-20004"
+package = "std"
+categories = ["thread-safety"]
+date = "2017-04-29"
+url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-20004";
+
+[versions]
+patched = [">= 1.19.0"]
+unaffected = ["< 1.0.0"]
+```
+
+# MutexGuard\<Cell\<i32\>\> must not be Sync
+
+In the standard library in Rust before 1.19.0, there is a synchronization
problem in the MutexGuard object. MutexGuards can be used across threads with
any types, allowing for memory safety issues through race conditions.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210702/rust/std/CVE-2018-25008.md
new/advisory-db-20210721/rust/std/CVE-2018-25008.md
--- old/advisory-db-20210702/rust/std/CVE-2018-25008.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210721/rust/std/CVE-2018-25008.md 2021-07-13
14:47:59.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "CVE-2018-25008"
+package = "std"
+categories = ["thread-safety"]
+date = "2018-06-25"
+url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25008";
+
+[versions]
+patched = [">= 1.29.0"]
+unaffected = ["< 1.3.0"]
+```
+
+# Insufficient synchronization in `Arc::get_mut`
+
+In the standard library in Rust before 1.29.0, there is weak synchronization
in the Arc::get_mut method. This synchronization issue can be lead to memory
safety issues through race conditions.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210702/rust/std/CVE-2019-1010299.md
new/advisory-db-20210721/rust/std/CVE-2019-1010299.md
--- old/advisory-db-20210702/rust/std/CVE-2019-1010299.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210721/rust/std/CVE-2019-1010299.md 2021-07-13
14:47:59.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "CVE-2019-1010299"
+package = "std"
+categories = ["memory-exposure"]
+date = "2018-08-21"
+url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010299";
+
+[versions]
+patched = [">= 1.30.0"]
+unaffected = ["< 1.18.0"]
+```
+
+# vec_deque::Iter has unsound Debug implementation
+
+The Rust Programming Language Standard Library 1.18.0 and later is affected
by: CWE-200: Information Exposure. The impact is: Contents of uninitialized
memory could be printed to string or to log file. The component is: Debug trait
implementation for std::collections::vec_deque::Iter. The attack vector is: The
program needs to invoke debug printing for iterator over an empty VecDeque. The
fixed version is: 1.30.0, nightly versions after commit
b85e4cc8fadaabd41da5b9645c08c68b8f89908d.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210702/rust/std/CVE-2020-36323.md
new/advisory-db-20210721/rust/std/CVE-2020-36323.md
--- old/advisory-db-20210702/rust/std/CVE-2020-36323.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210721/rust/std/CVE-2020-36323.md 2021-07-13
14:47:59.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "CVE-2020-36323"
+package = "std"
+categories = ["memory-exposure"]
+date = "2020-12-23"
+url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36323";
+
+[versions]
+patched = [">= 1.52.0"]
+unaffected = ["< 1.28.0"]
+```
+
+# API soundness issue in join() implementation of \[Borrow\<str\>\]
+
+In the standard library in Rust before 1.52.0, there is an optimization for
joining strings that can cause uninitialized bytes to be exposed (or the
program to crash) if the borrowed string changes after its length is checked.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210702/rust/std/CVE-2021-31162.md
new/advisory-db-20210721/rust/std/CVE-2021-31162.md
--- old/advisory-db-20210702/rust/std/CVE-2021-31162.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210721/rust/std/CVE-2021-31162.md 2021-07-13
14:47:59.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "CVE-2021-31162"
+package = "std"
+categories = ["memory-corruption"]
+date = "2021-03-28"
+url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31162";
+
+[versions]
+patched = [">= 1.52.0"]
+unaffected = ["< 1.48.0"]
+```
+
+# Double free in Vec::from_iter specialization when drop panics
+
+In the standard library in Rust before 1.52.0, a double free can occur in the
Vec::from_iter function if freeing the element panics.
