Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cargo-audit-advisory-db for openSUSE:Factory checked in at 2021-08-03 22:48:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old) and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db" Tue Aug 3 22:48:43 2021 rev:10 rq:909876 version:20210802 Changes: -------- --- /work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes 2021-07-22 22:44:08.123139204 +0200 +++ /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1899/cargo-audit-advisory-db.changes 2021-08-03 22:49:00.112477976 +0200 @@ -1,0 +2,15 @@ +Mon Aug 02 02:47:18 UTC 2021 - wbr...@suse.de + +- Update to version 20210802: + * Assigned RUSTSEC-2021-0077 to better-macro (#969) + * better-macro has deliberate RCE in proc-macro (#966) + * Assigned RUSTSEC-2021-0076 to libsecp256k1 (#964) + * Add advisory for libsecp256k1 (#963) + * Assigned RUSTSEC-2021-0075 to ark-r1cs-std (#962) + * `ark_r1cs_std::mul_by_inverse` generated unsound constraints in versions below `0.3.1` (#961) + * Revert "Hotfix #957 until we figure out what to do with it (#958)" (#960) + * Assigned RUSTSEC-2021-0074 to ammonia (#959) + * Add rust-ammonia/ammonia#142 (#956) + * Hotfix #957 until we figure out what to do with it (#958) + +------------------------------------------------------------------- Old: ---- advisory-db-20210721.tar.xz New: ---- advisory-db-20210802.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cargo-audit-advisory-db.spec ++++++ --- /var/tmp/diff_new_pack.pCgQoo/_old 2021-08-03 22:49:01.644476128 +0200 +++ /var/tmp/diff_new_pack.pCgQoo/_new 2021-08-03 22:49:01.648476123 +0200 @@ -17,7 +17,7 @@ Name: cargo-audit-advisory-db -Version: 20210721 +Version: 20210802 Release: 0 Summary: A database of known security issues for Rust depedencies License: CC0-1.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.pCgQoo/_old 2021-08-03 22:49:01.680476084 +0200 +++ /var/tmp/diff_new_pack.pCgQoo/_new 2021-08-03 22:49:01.680476084 +0200 @@ -2,7 +2,7 @@ <service mode="disabled" name="obs_scm"> <param name="url">https://github.com/RustSec/advisory-db.git</param> <param name="scm">git</param> - <param name="version">20210721</param> + <param name="version">20210802</param> <param name="revision">master</param> <param name="changesgenerate">enable</param> <param name="changesauthor">wbr...@suse.de</param> ++++++ advisory-db-20210721.tar.xz -> advisory-db-20210802.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20210721/.duplicate-id-guard new/advisory-db-20210802/.duplicate-id-guard --- old/advisory-db-20210721/.duplicate-id-guard 2021-07-13 14:47:59.000000000 +0200 +++ new/advisory-db-20210802/.duplicate-id-guard 2021-07-26 22:46:07.000000000 +0200 @@ -1,3 +1,3 @@ This file causes merge conflicts if two ID assignment jobs run concurrently. This prevents duplicate ID assignment due to a race between those jobs. -10f78efb7823f3c335f7dd815207a12473d128651d511ea71ae1a8419b59874d - +bd246e1f4b34100531c2fa8edeff29e12391cca115de6b424aed2a2127e93b03 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20210721/crates/better-macro/RUSTSEC-2021-0077.md new/advisory-db-20210802/crates/better-macro/RUSTSEC-2021-0077.md --- old/advisory-db-20210721/crates/better-macro/RUSTSEC-2021-0077.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20210802/crates/better-macro/RUSTSEC-2021-0077.md 2021-07-26 22:46:07.000000000 +0200 @@ -0,0 +1,27 @@ +```toml +[advisory] +id = "RUSTSEC-2021-0077" +package = "better-macro" +date = "2021-07-22" +url = "https://github.com/raycar5/better-macro/blob/24ff1702397b9c19bbfa4c660e2316cd77d3b900/src/lib.rs#L36-L38" +categories = ["code-execution"] +keywords = ["rce", "proc-macro"] + +[affected] +functions = { "better_macro::println" = ["> 1.0.0"] } + +[versions] +patched = [] +``` + +# `better-macro` has deliberate RCE to prove a point + +[better-macro](https://crates.io/crates/better-macro) is a fake crate which is +"Proving A Point" that proc-macros can run arbitrary code. This a particularly +novel or interesting observation. + +It currently opens `https://github.com/raycar5/better-macro/blob/master/doc/hi.md` +which doesn't appear to have any malicious content, but there's no guarantee that +will remain the case. + +This crate has no useful functionality, and should not be used.