Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cargo-audit-advisory-db for openSUSE:Factory checked in at 2021-10-19 23:03:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old) and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db" Tue Oct 19 23:03:47 2021 rev:12 rq:926117 version:20211019 Changes: -------- --- /work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes 2021-10-05 22:34:14.086909250 +0200 +++ /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1890/cargo-audit-advisory-db.changes 2021-10-19 23:04:00.469277865 +0200 @@ -1,0 +2,15 @@ +Tue Oct 19 01:15:12 UTC 2021 - wbr...@suse.de + +- Update to version 20211019: + * Assigned RUSTSEC-2021-0121 to crypto2 (#1084) + * Unsound implementation of Chacha20 in crypto2 (#1072) + * Assigned RUSTSEC-2020-0159 to chrono (#1083) + * Add `chrono` advisory for chrono#499 (localtime_r) (#1082) + * Update vec-const advisory (#1081) + * Assigned RUSTSEC-2021-0120 to abomonation (#1080) + * Report abomonation as unsound (#1079) + * Update RUSTEC-2020-0071 (#1078) + * add missing cve info to advisories (#1077) + * Add CVE information to RUSTSEC-2020-0142 (#1076) + +------------------------------------------------------------------- Old: ---- advisory-db-20211005.tar.xz New: ---- advisory-db-20211019.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cargo-audit-advisory-db.spec ++++++ --- /var/tmp/diff_new_pack.wX1nM4/_old 2021-10-19 23:04:01.065278135 +0200 +++ /var/tmp/diff_new_pack.wX1nM4/_new 2021-10-19 23:04:01.065278135 +0200 @@ -17,7 +17,7 @@ Name: cargo-audit-advisory-db -Version: 20211005 +Version: 20211019 Release: 0 Summary: A database of known security issues for Rust depedencies License: CC0-1.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.wX1nM4/_old 2021-10-19 23:04:01.093278148 +0200 +++ /var/tmp/diff_new_pack.wX1nM4/_new 2021-10-19 23:04:01.097278150 +0200 @@ -2,7 +2,7 @@ <service mode="disabled" name="obs_scm"> <param name="url">https://github.com/RustSec/advisory-db.git</param> <param name="scm">git</param> - <param name="version">20211005</param> + <param name="version">20211019</param> <param name="revision">master</param> <param name="changesgenerate">enable</param> <param name="changesauthor">wbr...@suse.de</param> ++++++ advisory-db-20211005.tar.xz -> advisory-db-20211019.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/.duplicate-id-guard new/advisory-db-20211019/.duplicate-id-guard --- old/advisory-db-20211005/.duplicate-id-guard 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/.duplicate-id-guard 2021-10-18 18:22:07.000000000 +0200 @@ -1,3 +1,3 @@ This file causes merge conflicts if two ID assignment jobs run concurrently. This prevents duplicate ID assignment due to a race between those jobs. -42ca4d90b4a557daf80f0be606f514ad413a5d90341135f70714161f49348a74 - +95115d8c9869b0a0e3e4bdf781cf094e564ece260a8f34a89b73c762c1eb72cd - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/README.md new/advisory-db-20211019/README.md --- old/advisory-db-20211005/README.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/README.md 2021-10-18 18:22:07.000000000 +0200 @@ -8,7 +8,7 @@ against Rust crates published via https://crates.io. A human-readable version of the advisory database can be found at https://rustsec.org/advisories/. -We also export advisory data to [OSV](https://github.com/ossf/osv-schema) format, +We also export advisory data to the [OSV](https://github.com/ossf/osv-schema) format, see the [`osv`](https://github.com/rustsec/advisory-db/tree/osv) branch. The following tools consume this advisory database and can be used for auditing diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/abomonation/RUSTSEC-2021-0120.md new/advisory-db-20211019/crates/abomonation/RUSTSEC-2021-0120.md --- old/advisory-db-20211005/crates/abomonation/RUSTSEC-2021-0120.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20211019/crates/abomonation/RUSTSEC-2021-0120.md 2021-10-18 18:22:07.000000000 +0200 @@ -0,0 +1,19 @@ +```toml +[advisory] +id = "RUSTSEC-2021-0120" +package = "abomonation" +date = "2021-10-17" +url = "https://github.com/TimelyDataflow/abomonation/issues/23" +categories = [] +keywords = [] +informational = "unsound" + +[versions] +patched = [] +``` + +# abomonation transmutes &T to and from &[u8] without sufficient constraints + +This transmute is at the core of the abomonation crates. It's so easy to use it to violate alignment requirements that no test in the crate's test suite passes under miri. +The use of this transmute in serialization/deserialization also incorrectly assumes that the layout of a repr(Rust) type is stable. +This transmute can also disclose both the contents of padding bytes which may be an information leak and the contents of pointers, which may be used to defeat ASLR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/abox/RUSTSEC-2020-0121.md new/advisory-db-20211019/crates/abox/RUSTSEC-2020-0121.md --- old/advisory-db-20211005/crates/abox/RUSTSEC-2020-0121.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/abox/RUSTSEC-2020-0121.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-10" url = "https://github.com/SonicFrog/abox/issues/1" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36441"] [versions] patched = [">= 0.4.1"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/alg_ds/RUSTSEC-2020-0033.md new/advisory-db-20211019/crates/alg_ds/RUSTSEC-2020-0033.md --- old/advisory-db-20211005/crates/alg_ds/RUSTSEC-2020-0033.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/alg_ds/RUSTSEC-2020-0033.md 2021-10-18 18:22:07.000000000 +0200 @@ -4,6 +4,7 @@ package = "alg_ds" date = "2020-08-25" url = "https://gitlab.com/dvshapkin/alg-ds/-/issues/1" +aliases = ["CVE-2020-36432"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/appendix/RUSTSEC-2020-0149.md new/advisory-db-20211019/crates/appendix/RUSTSEC-2020-0149.md --- old/advisory-db-20211005/crates/appendix/RUSTSEC-2020-0149.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/appendix/RUSTSEC-2020-0149.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-15" url = "https://github.com/krl/appendix/issues/6" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36469"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/array-tools/RUSTSEC-2020-0132.md new/advisory-db-20211019/crates/array-tools/RUSTSEC-2020-0132.md --- old/advisory-db-20211005/crates/array-tools/RUSTSEC-2020-0132.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/array-tools/RUSTSEC-2020-0132.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-12-31" url = "https://github.com/L117/array-tools/issues/2" categories = ["memory-corruption"] +aliases = ["CVE-2020-36452"] [versions] patched = [">= 0.3.2"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/async-coap/RUSTSEC-2020-0124.md new/advisory-db-20211019/crates/async-coap/RUSTSEC-2020-0124.md --- old/advisory-db-20211005/crates/async-coap/RUSTSEC-2020-0124.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/async-coap/RUSTSEC-2020-0124.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-12-08" url = "https://github.com/google/rust-async-coap/issues/33" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36444"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/beef/RUSTSEC-2020-0122.md new/advisory-db-20211019/crates/beef/RUSTSEC-2020-0122.md --- old/advisory-db-20211005/crates/beef/RUSTSEC-2020-0122.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/beef/RUSTSEC-2020-0122.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-10-28" url = "https://github.com/maciejhirsz/beef/issues/37" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36442"] [versions] patched = [">= 0.5.0"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/bunch/RUSTSEC-2020-0130.md new/advisory-db-20211019/crates/bunch/RUSTSEC-2020-0130.md --- old/advisory-db-20211005/crates/bunch/RUSTSEC-2020-0130.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/bunch/RUSTSEC-2020-0130.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-12" url = "https://github.com/krl/bunch/issues/1" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36450"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/cache/RUSTSEC-2020-0128.md new/advisory-db-20211019/crates/cache/RUSTSEC-2020-0128.md --- old/advisory-db-20211005/crates/cache/RUSTSEC-2020-0128.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/cache/RUSTSEC-2020-0128.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-24" url = "https://github.com/krl/cache/issues/1" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36448"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/cgc/RUSTSEC-2020-0148.md new/advisory-db-20211019/crates/cgc/RUSTSEC-2020-0148.md --- old/advisory-db-20211005/crates/cgc/RUSTSEC-2020-0148.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/cgc/RUSTSEC-2020-0148.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/playXE/cgc/issues/5" categories = ["memory-corruption"] keywords = ["memory-safety", "aliasing", "concurrency"] +aliases = ["CVE-2020-36466", "CVE-2020-36467", "CVE-2020-36468"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/chrono/RUSTSEC-2020-0159.md new/advisory-db-20211019/crates/chrono/RUSTSEC-2020-0159.md --- old/advisory-db-20211005/crates/chrono/RUSTSEC-2020-0159.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20211019/crates/chrono/RUSTSEC-2020-0159.md 2021-10-18 18:22:07.000000000 +0200 @@ -0,0 +1,27 @@ +```toml +[advisory] +id = "RUSTSEC-2020-0159" +package = "chrono" +date = "2020-11-10" +url = "https://github.com/chronotope/chrono/issues/499" +categories = ["code-execution", "memory-corruption"] +keywords = ["segfault"] +related = ["CVE-2020-26235", "RUSTSEC-2020-0071"] + +[versions] +patched = [] +``` + +# Potential segfault in `localtime_r` invocations + +### Impact + +Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library. + +### Workarounds + +No workarounds are known. + +### References + +- [time-rs/time#293](https://github.com/time-rs/time/issues/293) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/chunky/RUSTSEC-2020-0035.md new/advisory-db-20211019/crates/chunky/RUSTSEC-2020-0035.md --- old/advisory-db-20211005/crates/chunky/RUSTSEC-2020-0035.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/chunky/RUSTSEC-2020-0035.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-08-25" informational = "unsound" url = "https://github.com/aeplay/chunky/issues/2" +aliases = ["CVE-2020-36433"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/conqueue/RUSTSEC-2020-0117.md new/advisory-db-20211019/crates/conqueue/RUSTSEC-2020-0117.md --- old/advisory-db-20211005/crates/conqueue/RUSTSEC-2020-0117.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/conqueue/RUSTSEC-2020-0117.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-24" url = "https://github.com/longshorej/conqueue/issues/9" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36437"] [versions] patched = [">= 0.4.0"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/convec/RUSTSEC-2020-0125.md new/advisory-db-20211019/crates/convec/RUSTSEC-2020-0125.md --- old/advisory-db-20211005/crates/convec/RUSTSEC-2020-0125.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/convec/RUSTSEC-2020-0125.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-24" url = "https://github.com/krl/convec/issues/2" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36445"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/crypto2/RUSTSEC-2021-0121.md new/advisory-db-20211019/crates/crypto2/RUSTSEC-2021-0121.md --- old/advisory-db-20211005/crates/crypto2/RUSTSEC-2021-0121.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20211019/crates/crypto2/RUSTSEC-2021-0121.md 2021-10-18 18:22:07.000000000 +0200 @@ -0,0 +1,22 @@ +```toml +[advisory] +id = "RUSTSEC-2021-0121" +package = "crypto2" +date = "2021-10-08" +url = "https://github.com/shadowsocks/crypto2/issues/27" +informational = "unsound" +keywords = ["crypto", "alignment", "unsound"] + +[affected.functions] +"crypto2::streamcipher::Chacha20::encrypt_slice" = ["*"] +"crypto2::streamcipher::Chacha20::decrypt_slice" = ["*"] +"crypto2::streamcipher::xor_si512_inplace" = ["*"] + +[versions] +patched = [] +``` + +# Non-aligned u32 read in Chacha20 encryption and decryption +The implementation does not enforce alignment requirements on input slices while incorrectly assuming 4-byte alignment through an unsafe call to `std::slice::from_raw_parts_mut`, which breaks the contract and introduces undefined behavior. + +This affects Chacha20 encryption and decryption in crypto2. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/dces/RUSTSEC-2020-0139.md new/advisory-db-20211019/crates/dces/RUSTSEC-2020-0139.md --- old/advisory-db-20211005/crates/dces/RUSTSEC-2020-0139.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/dces/RUSTSEC-2020-0139.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://gitlab.redox-os.org/redox-os/dces-rust/-/issues/8" categories = ["memory-corruption", "thread-safety"] keywords = ["concurrency"] +aliases = ["CVE-2020-36459"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/disrustor/RUSTSEC-2020-0150.md new/advisory-db-20211019/crates/disrustor/RUSTSEC-2020-0150.md --- old/advisory-db-20211005/crates/disrustor/RUSTSEC-2020-0150.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/disrustor/RUSTSEC-2020-0150.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-12-17" url = "https://github.com/sklose/disrustor/issues/1" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36470"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/failure/RUSTSEC-2020-0036.md new/advisory-db-20211019/crates/failure/RUSTSEC-2020-0036.md --- old/advisory-db-20211005/crates/failure/RUSTSEC-2020-0036.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/failure/RUSTSEC-2020-0036.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-05-02" informational = "unmaintained" url = "https://github.com/rust-lang-nursery/failure/pull/347" +aliases = ["CVE-2020-25575"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/generator/RUSTSEC-2019-0020.md new/advisory-db-20211019/crates/generator/RUSTSEC-2019-0020.md --- old/advisory-db-20211005/crates/generator/RUSTSEC-2019-0020.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/generator/RUSTSEC-2019-0020.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2019-09-06" keywords = ["memory-corruption"] url = "https://github.com/Xudong-Huang/generator-rs/issues/9" +aliases = ["CVE-2019-16144"] [versions] patched = [">= 0.6.18"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/generic-array/RUSTSEC-2020-0146.md new/advisory-db-20211019/crates/generic-array/RUSTSEC-2020-0146.md --- old/advisory-db-20211005/crates/generic-array/RUSTSEC-2020-0146.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/generic-array/RUSTSEC-2020-0146.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/fizyk20/generic-array/issues/98" categories = ["memory-corruption"] keywords = ["soundness"] +aliases = ["CVE-2020-36465"] [versions] patched = [ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/heapless/RUSTSEC-2020-0145.md new/advisory-db-20211019/crates/heapless/RUSTSEC-2020-0145.md --- old/advisory-db-20211005/crates/heapless/RUSTSEC-2020-0145.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/heapless/RUSTSEC-2020-0145.md 2021-10-18 18:22:07.000000000 +0200 @@ -7,6 +7,7 @@ categories = ["memory-corruption", "memory-exposure"] keywords = ["use-after-free"] informational = "unsound" +aliases = ["CVE-2020-36464"] [affected.functions] "heapless::vec::IntoIter::clone" = ["<= 0.6"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/kekbit/RUSTSEC-2020-0129.md new/advisory-db-20211019/crates/kekbit/RUSTSEC-2020-0129.md --- old/advisory-db-20211005/crates/kekbit/RUSTSEC-2020-0129.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/kekbit/RUSTSEC-2020-0129.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-12-18" url = "https://github.com/motoras/kekbit/issues/34" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36449"] [versions] patched = [">= 0.3.4"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/lever/RUSTSEC-2020-0137.md new/advisory-db-20211019/crates/lever/RUSTSEC-2020-0137.md --- old/advisory-db-20211005/crates/lever/RUSTSEC-2020-0137.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/lever/RUSTSEC-2020-0137.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/vertexclique/lever/issues/15" categories = ["memory-corruption", "thread-safety"] keywords = ["concurrency"] +aliases = ["CVE-2020-36457"] [versions] patched = [">= 0.1.1"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/lexer/RUSTSEC-2020-0138.md new/advisory-db-20211019/crates/lexer/RUSTSEC-2020-0138.md --- old/advisory-db-20211005/crates/lexer/RUSTSEC-2020-0138.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/lexer/RUSTSEC-2020-0138.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-10" url = "https://gitlab.com/nathanfaucett/rs-lexer/-/issues/2" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36458"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/libp2p-deflate/RUSTSEC-2020-0123.md new/advisory-db-20211019/crates/libp2p-deflate/RUSTSEC-2020-0123.md --- old/advisory-db-20211005/crates/libp2p-deflate/RUSTSEC-2020-0123.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/libp2p-deflate/RUSTSEC-2020-0123.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-01-24" url = "https://github.com/libp2p/rust-libp2p/issues/1932" categories = ["memory-exposure"] +aliases = ["CVE-2020-36443"] [versions] patched = [">= 0.27.1"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/libpulse-binding/RUSTSEC-2018-0020.md new/advisory-db-20211019/crates/libpulse-binding/RUSTSEC-2018-0020.md --- old/advisory-db-20211005/crates/libpulse-binding/RUSTSEC-2018-0020.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/libpulse-binding/RUSTSEC-2018-0020.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,7 +5,7 @@ date = "2018-12-22" url = "https://github.com/advisories/GHSA-6gvc-4jvj-pwq4" categories = ["memory-corruption"] -aliases = ["GHSA-6gvc-4jvj-pwq4"] +aliases = ["GHSA-6gvc-4jvj-pwq4", "CVE-2018-25001"] [versions] patched = [">= 2.5.0"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/libsbc/RUSTSEC-2020-0120.md new/advisory-db-20211019/crates/libsbc/RUSTSEC-2020-0120.md --- old/advisory-db-20211005/crates/libsbc/RUSTSEC-2020-0120.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/libsbc/RUSTSEC-2020-0120.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/mvertescher/libsbc-rs/issues/4" categories = ["memory-corruption", "thread-safety"] informational = "unsound" +aliases = ["CVE-2020-36440"] [versions] patched = [">= 0.1.5"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/max7301/RUSTSEC-2020-0152.md new/advisory-db-20211019/crates/max7301/RUSTSEC-2020-0152.md --- old/advisory-db-20211005/crates/max7301/RUSTSEC-2020-0152.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/max7301/RUSTSEC-2020-0152.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/edarc/max7301/issues/1" categories = ["memory-corruption"] keywords = ["concurrency"] +aliases = ["CVE-2020-36472"] [versions] patched = [">= 0.2.0"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/model/RUSTSEC-2020-0140.md new/advisory-db-20211019/crates/model/RUSTSEC-2020-0140.md --- old/advisory-db-20211005/crates/model/RUSTSEC-2020-0140.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/model/RUSTSEC-2020-0140.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/spacejam/model/issues/3" categories = ["thread-safety"] informational = "unsound" +aliases = ["CVE-2020-36460"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/multiqueue/RUSTSEC-2020-0143.md new/advisory-db-20211019/crates/multiqueue/RUSTSEC-2020-0143.md --- old/advisory-db-20211005/crates/multiqueue/RUSTSEC-2020-0143.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/multiqueue/RUSTSEC-2020-0143.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-12-25" url = "https://github.com/schets/multiqueue/issues/31" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36463"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/net2/RUSTSEC-2020-0078.md new/advisory-db-20211019/crates/net2/RUSTSEC-2020-0078.md --- old/advisory-db-20211005/crates/net2/RUSTSEC-2020-0078.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/net2/RUSTSEC-2020-0078.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/deprecrated/net2-rs/issues/105" keywords = ["memory", "layout", "cast"] informational = "unsound" +aliases = ["CVE-2020-35919"] [versions] patched = [">= 0.2.36"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/nix/RUSTSEC-2021-0119.md new/advisory-db-20211019/crates/nix/RUSTSEC-2021-0119.md --- old/advisory-db-20211005/crates/nix/RUSTSEC-2021-0119.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/nix/RUSTSEC-2021-0119.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,7 +6,6 @@ url = "https://github.com/nix-rust/nix/issues/1541" categories = ["memory-corruption"] keywords = ["nss"] -informational = "unsound" [versions] patched = ["^0.20.2", "^0.21.2", "^0.22.2", ">= 0.23.0",] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/noise_search/RUSTSEC-2020-0141.md new/advisory-db-20211019/crates/noise_search/RUSTSEC-2020-0141.md --- old/advisory-db-20211005/crates/noise_search/RUSTSEC-2020-0141.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/noise_search/RUSTSEC-2020-0141.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-12-10" url = "https://github.com/pipedown/noise/issues/72" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36461"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/parc/RUSTSEC-2020-0134.md new/advisory-db-20211019/crates/parc/RUSTSEC-2020-0134.md --- old/advisory-db-20211005/crates/parc/RUSTSEC-2020-0134.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/parc/RUSTSEC-2020-0134.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-14" url = "https://github.com/hyyking/rustracts/pull/6" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36454"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/rcu_cell/RUSTSEC-2020-0131.md new/advisory-db-20211019/crates/rcu_cell/RUSTSEC-2020-0131.md --- old/advisory-db-20211005/crates/rcu_cell/RUSTSEC-2020-0131.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/rcu_cell/RUSTSEC-2020-0131.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-14" url = "https://github.com/Xudong-Huang/rcu_cell/issues/3" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36451"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/rkyv/RUSTSEC-2021-0054.md new/advisory-db-20211019/crates/rkyv/RUSTSEC-2021-0054.md --- old/advisory-db-20211005/crates/rkyv/RUSTSEC-2021-0054.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/rkyv/RUSTSEC-2021-0054.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/djkoloski/rkyv/issues/113" categories = ["memory-exposure"] keywords = ["uninitialized", "memory", "information", "leak"] +aliases = ["CVE-2021-31919"] [versions] patched = [">= 0.6.0"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/ruspiro-singleton/RUSTSEC-2020-0115.md new/advisory-db-20211019/crates/ruspiro-singleton/RUSTSEC-2020-0115.md --- old/advisory-db-20211005/crates/ruspiro-singleton/RUSTSEC-2020-0115.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/ruspiro-singleton/RUSTSEC-2020-0115.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/RusPiRo/ruspiro-singleton/issues/10" categories = ["memory-corruption", "thread-safety"] keywords = ["concurrency"] +aliases = ["CVE-2020-36435"] [versions] patched = [">= 0.4.1"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/scottqueue/RUSTSEC-2020-0133.md new/advisory-db-20211019/crates/scottqueue/RUSTSEC-2020-0133.md --- old/advisory-db-20211005/crates/scottqueue/RUSTSEC-2020-0133.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/scottqueue/RUSTSEC-2020-0133.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-15" url = "https://github.com/rossdylan/rust-scottqueue/issues/1" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36453"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/signal-simple/RUSTSEC-2020-0126.md new/advisory-db-20211019/crates/signal-simple/RUSTSEC-2020-0126.md --- old/advisory-db-20211005/crates/signal-simple/RUSTSEC-2020-0126.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/signal-simple/RUSTSEC-2020-0126.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-15" url = "https://github.com/kitsuneninetails/signal-rust/issues/2" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36446"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/slice-deque/RUSTSEC-2020-0158.md new/advisory-db-20211019/crates/slice-deque/RUSTSEC-2020-0158.md --- old/advisory-db-20211005/crates/slice-deque/RUSTSEC-2020-0158.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20211019/crates/slice-deque/RUSTSEC-2020-0158.md 2021-10-18 18:22:07.000000000 +0200 @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-2020-0158" +package = "slice-deque" +date = "2020-02-10" +url = "https://github.com/gnzlbg/slice_deque/issues/94" +informational = "unmaintained" + +[versions] +patched = [] +``` + +# slice-deque is unmaintained + +The author of the `slice-deque` crate is unresponsive and is not receiving security patches. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/slock/RUSTSEC-2020-0135.md new/advisory-db-20211019/crates/slock/RUSTSEC-2020-0135.md --- old/advisory-db-20211005/crates/slock/RUSTSEC-2020-0135.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/slock/RUSTSEC-2020-0135.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-17" url = "https://github.com/BrokenLamp/slock-rs/issues/2" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36455"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/syncpool/RUSTSEC-2020-0142.md new/advisory-db-20211019/crates/syncpool/RUSTSEC-2020-0142.md --- old/advisory-db-20211005/crates/syncpool/RUSTSEC-2020-0142.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/syncpool/RUSTSEC-2020-0142.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-29" url = "https://github.com/Chopinsky/byte_buffer/issues/2" categories = ["memory-corruption"] +aliases = ["CVE-2020-36462"] [versions] patched = [">= 0.1.6"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/sys-info/RUSTSEC-2020-0100.md new/advisory-db-20211019/crates/sys-info/RUSTSEC-2020-0100.md --- old/advisory-db-20211005/crates/sys-info/RUSTSEC-2020-0100.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/sys-info/RUSTSEC-2020-0100.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/FillZpp/sys-info-rs/issues/63" categories = ["memory-corruption"] keywords = ["concurrency", "double free"] +aliases = ["CVE-2020-36434"] [versions] patched = [">= 0.8.0"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/ticketed_lock/RUSTSEC-2020-0119.md new/advisory-db-20211019/crates/ticketed_lock/RUSTSEC-2020-0119.md --- old/advisory-db-20211005/crates/ticketed_lock/RUSTSEC-2020-0119.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/ticketed_lock/RUSTSEC-2020-0119.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-17" url = "https://github.com/kvark/ticketed_lock/issues/7" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36439"] [versions] patched = [">= 0.3.0"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/time/RUSTSEC-2020-0071.md new/advisory-db-20211019/crates/time/RUSTSEC-2020-0071.md --- old/advisory-db-20211005/crates/time/RUSTSEC-2020-0071.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/time/RUSTSEC-2020-0071.md 2021-10-18 18:22:07.000000000 +0200 @@ -24,6 +24,8 @@ "freebsd", ] [affected.functions] +"time::at" = ["^0.1"] +"time::at_utc" = ["^0.1"] "time::UtcOffset::local_offset_at" = ["< 0.2.23"] "time::UtcOffset::try_local_offset_at" = ["< 0.2.23"] "time::UtcOffset::current_local_offset" = ["< 0.2.23"] @@ -33,16 +35,16 @@ [versions] patched = [">= 0.2.23"] -unaffected = ["< 0.2.7"] +unaffected = ["=0.2.0", "=0.2.1", "=0.2.2", "=0.2.3", "=0.2.4", "=0.2.5", "=0.2.6"] ``` # Potential segfault in the time crate -## Impact +### Impact -Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. +Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library. -The affected functions are: +The affected functions from time 0.2.7 through 0.2.22 are: - `time::UtcOffset::local_offset_at` - `time::UtcOffset::try_local_offset_at` @@ -51,18 +53,25 @@ - `time::OffsetDateTime::now_local` - `time::OffsetDateTime::try_now_local` -Non-Unix targets are unaffected. This includes Windows and wasm. +The affected functions in time 0.1 (all versions) are: -## Patches +- `at` +- `at_utc` + +Non-Unix targets (including Windows and wasm) are unaffected. + +### Patches Pending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. -Users and library authors with time in their dependency tree should perform `cargo update`, which will pull in a the updated, unaffected code. +Users and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code. + +Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3. series. -## Workarounds +### Workarounds No workarounds are known. -## References +### References -#293 +time-rs/time#293 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/tiny_future/RUSTSEC-2020-0118.md new/advisory-db-20211019/crates/tiny_future/RUSTSEC-2020-0118.md --- old/advisory-db-20211005/crates/tiny_future/RUSTSEC-2020-0118.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/tiny_future/RUSTSEC-2020-0118.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/KizzyCode/tiny_future/issues/1" categories = ["memory-corruption", "thread-safety"] keywords = ["concurrency"] +aliases = ["CVE-2020-36438"] [versions] patched = [">= 0.4.0"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/toolshed/RUSTSEC-2020-0136.md new/advisory-db-20211019/crates/toolshed/RUSTSEC-2020-0136.md --- old/advisory-db-20211005/crates/toolshed/RUSTSEC-2020-0136.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/toolshed/RUSTSEC-2020-0136.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,6 +6,7 @@ url = "https://github.com/ratel-rust/toolshed/issues/12" categories = ["memory-corruption", "thread-safety"] keywords = ["concurrency"] +aliases = ["CVE-2020-36456"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/unicycle/RUSTSEC-2020-0116.md new/advisory-db-20211019/crates/unicycle/RUSTSEC-2020-0116.md --- old/advisory-db-20211005/crates/unicycle/RUSTSEC-2020-0116.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/unicycle/RUSTSEC-2020-0116.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-11-15" url = "https://github.com/udoprog/unicycle/issues/8" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36436"] [versions] patched = [">= 0.7.1"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/v9/RUSTSEC-2020-0127.md new/advisory-db-20211019/crates/v9/RUSTSEC-2020-0127.md --- old/advisory-db-20211005/crates/v9/RUSTSEC-2020-0127.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/v9/RUSTSEC-2020-0127.md 2021-10-18 18:22:07.000000000 +0200 @@ -5,6 +5,7 @@ date = "2020-12-18" url = "https://github.com/purpleposeidon/v9/issues/1" categories = ["memory-corruption", "thread-safety"] +aliases = ["CVE-2020-36447"] [versions] patched = [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/vec-const/RUSTSEC-2021-0082.md new/advisory-db-20211019/crates/vec-const/RUSTSEC-2021-0082.md --- old/advisory-db-20211005/crates/vec-const/RUSTSEC-2021-0082.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/vec-const/RUSTSEC-2021-0082.md 2021-10-18 18:22:07.000000000 +0200 @@ -9,9 +9,11 @@ informational = "unsound" [versions] -patched = [] +patched = [">= 2.0.0"] ``` # vec-const attempts to construct a Vec from a pointer to a const slice -This crate claims to construct a const `Vec` with nonzero length and capacity, but that cannot be done because such a `Vec` requires a pointer from an allocator. +Affected versions of this crate claimed to construct a const `Vec` with nonzero length and capacity, but that cannot be done because such a `Vec` requires a pointer from an allocator. + +The implementation was later changed to just construct a `std::borrow::Cow`. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20211005/crates/zeroize_derive/RUSTSEC-2021-0115.md new/advisory-db-20211019/crates/zeroize_derive/RUSTSEC-2021-0115.md --- old/advisory-db-20211005/crates/zeroize_derive/RUSTSEC-2021-0115.md 2021-10-01 23:25:09.000000000 +0200 +++ new/advisory-db-20211019/crates/zeroize_derive/RUSTSEC-2021-0115.md 2021-10-18 18:22:07.000000000 +0200 @@ -6,7 +6,7 @@ url = "https://github.com/iqlusioninc/crates/issues/876" [versions] -patched = [">= 1.2.0"] +patched = [">= 1.1.1"] ``` # `#[zeroize(drop)]` doesn't implement `Drop` for `enum`s