Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2021-11-30 23:16:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.31177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Tue Nov 30 23:16:02 2021 rev:16 rq:934647 version:20211130
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2021-11-12 16:00:09.614589797 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.31177/cargo-audit-advisory-db.changes
2021-12-02 02:10:48.443476411 +0100
@@ -1,0 +2,15 @@
+Tue Nov 30 02:12:58 UTC 2021 - [email protected]
+
+- Update to version 20211130:
+ * Assigned RUSTSEC-2021-0126 to rust-embed (#1113)
+ * Add advisory for rust-embed path traversal (#1112)
+ * Adds maintained alternative to slice_deque (#1109)
+ * Assigned RUSTSEC-2021-0125 to simple_asn1 (#1108)
+ * Security advisory on simple_asn1 version 0.6.0 (#1103)
+ * Assigned RUSTSEC-2021-0124 to tokio (#1107)
+ * Add advisory for tokio-rs/tokio#4225 (#1106)
+ * Add CVE for RUSTSEC-2021-0123 (#1105)
+ * Assigned RUSTSEC-2021-0123 to fruity (#1104)
+ * Add fruity advisory for nvzqz/fruity#14 (#1102)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20211112.tar.xz
New:
----
advisory-db-20211130.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.Ul63K0/_old 2021-12-02 02:10:48.851475167 +0100
+++ /var/tmp/diff_new_pack.Ul63K0/_new 2021-12-02 02:10:48.855475154 +0100
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20211112
+Version: 20211130
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.Ul63K0/_old 2021-12-02 02:10:48.879475081 +0100
+++ /var/tmp/diff_new_pack.Ul63K0/_new 2021-12-02 02:10:48.879475081 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20211112</param>
+ <param name="version">20211130</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20211112.tar.xz -> advisory-db-20211130.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20211112/.duplicate-id-guard
new/advisory-db-20211130/.duplicate-id-guard
--- old/advisory-db-20211112/.duplicate-id-guard 2021-11-07
18:53:20.000000000 +0100
+++ new/advisory-db-20211130/.duplicate-id-guard 2021-11-29
19:32:40.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-9042bc5cd75d598f6aabe16f7a520b6886ac5abe65319eaee6cb8650f0e3085a -
+e4ababe809f177f95608bb105f034fdf7b1379c3ab84f9083b37f4356f609597 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211112/.github/workflows/assign-ids.yml
new/advisory-db-20211130/.github/workflows/assign-ids.yml
--- old/advisory-db-20211112/.github/workflows/assign-ids.yml 2021-11-07
18:53:20.000000000 +0100
+++ new/advisory-db-20211130/.github/workflows/assign-ids.yml 2021-11-29
19:32:40.000000000 +0100
@@ -15,12 +15,12 @@
uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.5.3
+ key: rustsec-admin-v0.6.0
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.5.3
+ cargo install rustsec-admin --vers 0.6.0
fi
- name: Assign IDs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211112/.github/workflows/export-osv.yml
new/advisory-db-20211130/.github/workflows/export-osv.yml
--- old/advisory-db-20211112/.github/workflows/export-osv.yml 2021-11-07
18:53:20.000000000 +0100
+++ new/advisory-db-20211130/.github/workflows/export-osv.yml 2021-11-29
19:32:40.000000000 +0100
@@ -14,10 +14,10 @@
- uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.5.3
+ key: rustsec-admin-v0.6.0
- run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.5.3
+ cargo install rustsec-admin --vers 0.6.0
fi
mkdir -p crates
rustsec-admin osv crates
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211112/.github/workflows/publish-web.yml
new/advisory-db-20211130/.github/workflows/publish-web.yml
--- old/advisory-db-20211112/.github/workflows/publish-web.yml 2021-11-07
18:53:20.000000000 +0100
+++ new/advisory-db-20211130/.github/workflows/publish-web.yml 2021-11-29
19:32:40.000000000 +0100
@@ -14,10 +14,10 @@
- uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.5.3
+ key: rustsec-admin-v0.6.0
- run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.5.3
+ cargo install rustsec-admin --vers 0.6.0
fi
rustsec-admin web .
git config user.name github-actions
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20211112/.github/workflows/validate.yml
new/advisory-db-20211130/.github/workflows/validate.yml
--- old/advisory-db-20211112/.github/workflows/validate.yml 2021-11-07
18:53:20.000000000 +0100
+++ new/advisory-db-20211130/.github/workflows/validate.yml 2021-11-29
19:32:40.000000000 +0100
@@ -16,12 +16,12 @@
uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.5.3
+ key: rustsec-admin-v0.6.0
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.5.3
+ cargo install rustsec-admin --vers 0.6.0
fi
- name: Lint advisories
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211112/crates/fruity/RUSTSEC-2021-0123.md
new/advisory-db-20211130/crates/fruity/RUSTSEC-2021-0123.md
--- old/advisory-db-20211112/crates/fruity/RUSTSEC-2021-0123.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20211130/crates/fruity/RUSTSEC-2021-0123.md 2021-11-29
19:32:40.000000000 +0100
@@ -0,0 +1,58 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0123"
+package = "fruity"
+aliases = ["CVE-2021-43620"]
+date = "2021-11-14"
+url = "https://github.com/nvzqz/fruity/issues/14";
+
+[affected.functions]
+"fruity::foundation::NSString::to_str" = ["> 0.0.0"]
+"fruity::foundation::NSString::to_str_with_nul" = ["> 0.0.0"]
+"fruity::foundation::NSString::to_string" = ["> 0.0.0"]
+"fruity::foundation::NSString::to_string_with_nul" = ["> 0.0.0"]
+
+[versions]
+patched = []
+```
+
+# Converting `NSString` to a String Truncates at Null Bytes
+
+Methods of [`NSString`] for conversion to a string may return a partial result.
+Since they call [`CStr::from_ptr`] on a pointer to the string buffer, the
+string is terminated at the first null byte, which might not be the end of the
+string.
+
+In addition to the vulnerable functions listed for this issue, the
+implementations of [`Display`], [`PartialEq`], [`PartialOrd`], and [`ToString`]
+for [`NSString`] are also affected, since they call those functions.
+
+## Impact
+
+Since [`NSString`] is commonly used as the type for paths by the [Foundation]
+framework, null byte truncation might allow for easily bypassing file extension
+checks. For example, if a file name is provided by a user and validated to have
+one of a specific set of extensions, with validation taking place before
+truncation, an attacker can add an accepted extension after a null byte (e.g.,
+`file.exe\0.txt`). After truncation, the file name used by the application
+would be `file.exe`.
+
+It would be better to generate unique names for files, instead of using
+user-provided names, but not all applications take this approach.
+
+## Example:
+
+```rust
+let string = NSString::from_str("null\0byte");
+println!("{}", string);
+```
+
+That example only prints the string "null".
+
+[`CStr::from_ptr`]:
https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_ptr
+[`Display`]: https://doc.rust-lang.org/std/fmt/trait.Display.html
+[Foundation]: https://developer.apple.com/documentation/foundation
+[`NSString`]:
https://docs.rs/fruity/0.2.0/fruity/foundation/struct.NSString.html
+[`PartialEq`]: https://doc.rust-lang.org/std/cmp/trait.PartialEq.html
+[`PartialOrd`]: https://doc.rust-lang.org/std/cmp/trait.PartialOrd.html
+[`ToString`]: https://doc.rust-lang.org/std/string/trait.ToString.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211112/crates/rust-embed/RUSTSEC-2021-0126.md
new/advisory-db-20211130/crates/rust-embed/RUSTSEC-2021-0126.md
--- old/advisory-db-20211112/crates/rust-embed/RUSTSEC-2021-0126.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20211130/crates/rust-embed/RUSTSEC-2021-0126.md
2021-11-29 19:32:40.000000000 +0100
@@ -0,0 +1,36 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0126"
+package = "rust-embed"
+date = "2021-11-29"
+url = "https://github.com/pyros2097/rust-embed/issues/159";
+categories = ["file-disclosure"]
+
+[versions]
+patched = [">= 6.3.0"]
+```
+
+# RustEmbed generated `get` method allows for directory traversal when reading
files from disk
+
+When running in debug mode and the `debug-embed` (off by default) feature is
+not enabled, the generated `get` method does not check that the input path is
+a child of the folder given.
+
+This allows attackers to read arbitrary files in the file system if they have
+control over the filename given. The following code will print the contents of
+your `/etc/passwd` if adjusted with a correct number of `../`s depending on
+where it is run from.
+
+```rust
+#[derive(rust_embed::RustEmbed)]
+#[folder = "src/"]
+pub struct Asset;
+
+fn main() {
+ let d = Asset::get("../../../etc/passwd").unwrap().data;
+ println!("{}", String::from_utf8_lossy(&d));
+}
+```
+
+The flaw was corrected by canonicalizing the input filename and ensuring that
+it starts with the canonicalized folder path.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211112/crates/simple_asn1/RUSTSEC-2021-0125.md
new/advisory-db-20211130/crates/simple_asn1/RUSTSEC-2021-0125.md
--- old/advisory-db-20211112/crates/simple_asn1/RUSTSEC-2021-0125.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20211130/crates/simple_asn1/RUSTSEC-2021-0125.md
2021-11-29 19:32:40.000000000 +0100
@@ -0,0 +1,37 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0125"
+package = "simple_asn1"
+date = "2021-11-14"
+url = "https://github.com/acw/simple_asn1/issues/27";
+categories = ["denial-of-service"]
+keywords = ["panic", "string_slice"]
+#aliases = ["CVE-YYYY-NNNN"]
+#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+
+[versions]
+patched = [">=0.6.1"]
+unaffected = ["<0.6.0"]
+```
+
+# Panic on incorrect date input to `simple_asn1`
+
+Version 0.6.0 of the `simple_asn1` crate panics on certain malformed
+inputs to its parsing functions, including `from_der` and `der_decode`.
+Because this crate is frequently used with inputs from the network, this
+should be considered a security vulnerability.
+
+The issue occurs when parsing the old ASN.1 "UTCTime" time format. If an
+attacker provides a UTCTime where the first character is ASCII but the
+second character is above 0x7f, a string slice operation in the
+`from_der_` function will try to slice into the middle of a UTF-8
+character, and cause a panic.
+
+This error was introduced in commit
+[`d7d39d709577710e9dc8`](https://github.com/acw/simple_asn1/commit/d7d39d709577710e9dc8833ee57d200eef366db8),
+which updated `simple_asn1` to use `time` instead of `chrono` because of
+[`RUSTSEC-2020-159`](https://rustsec.org/advisories/RUSTSEC-2020-0159).
+Versions of `simple_asn1` before 0.6.0 are not affected by this issue.
+
+The [patch](https://github.com/acw/simple_asn1/pull/28) was applied in
+`simple_asn1` version 0.6.1.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211112/crates/slice-deque/RUSTSEC-2020-0158.md
new/advisory-db-20211130/crates/slice-deque/RUSTSEC-2020-0158.md
--- old/advisory-db-20211112/crates/slice-deque/RUSTSEC-2020-0158.md
2021-11-07 18:53:20.000000000 +0100
+++ new/advisory-db-20211130/crates/slice-deque/RUSTSEC-2020-0158.md
2021-11-29 19:32:40.000000000 +0100
@@ -13,3 +13,7 @@
# slice-deque is unmaintained
The author of the `slice-deque` crate is unresponsive and is not receiving
security patches.
+
+Maintained alternatives:
+
+- [`slice-ring-buffer`](https://crates.io/crates/slice-ring-buffer)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20211112/crates/tokio/RUSTSEC-2021-0124.md
new/advisory-db-20211130/crates/tokio/RUSTSEC-2021-0124.md
--- old/advisory-db-20211112/crates/tokio/RUSTSEC-2021-0124.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20211130/crates/tokio/RUSTSEC-2021-0124.md 2021-11-29
19:32:40.000000000 +0100
@@ -0,0 +1,38 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0124"
+package = "tokio"
+date = "2021-11-16"
+url = "https://github.com/tokio-rs/tokio/issues/4225";
+categories = ["memory-corruption", "thread-safety"]
+keywords = ["race condition"]
+
+[versions]
+patched = [">= 1.8.4, < 1.9.0", ">= 1.13.1"]
+unaffected = ["< 0.1.14"]
+
+[affected.functions]
+"tokio::sync::oneshot::Receiver::close" = ["<= 1.13.0, >= 0.1.14"]
+```
+
+# Data race when sending and receiving after closing a `oneshot` channel
+
+If a `tokio::sync::oneshot` channel is closed (via the
+[`oneshot::Receiver::close`] method), a data race may occur if the
+`oneshot::Sender::send` method is called while the corresponding
+`oneshot::Receiver` is `await`ed or calling `try_recv`.
+
+When these methods are called concurrently on a closed channel, the two halves
+of the channel can concurrently access a shared memory location, resulting in a
+data race. This has been observed to [cause memory corruption][corruption].
+
+Note that the race only occurs when **both** halves of the channel are used
+after the `Receiver` half has called `close`. Code where `close` is not used,
or where the
+`Receiver` is not `await`ed and `try_recv` is not called after calling `close`,
+is not affected.
+
+See [tokio#4225][issue] for more details.
+
+[corruption]:
https://github.com/tokio-rs/tokio/issues/4225#issuecomment-967434847
+[issue]: https://github.com/tokio-rs/tokio/issues/4225
+[`oneshot::Receiver::close`]:
https://docs.rs/tokio/1.14.0/tokio/sync/oneshot/struct.Receiver.html#method.close
