Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cargo-audit-advisory-db for openSUSE:Factory checked in at 2022-03-11 21:41:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old) and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.25692 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db" Fri Mar 11 21:41:13 2022 rev:20 rq:960956 version:20220311 Changes: -------- --- /work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes 2022-02-15 23:57:35.604264393 +0100 +++ /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.25692/cargo-audit-advisory-db.changes 2022-03-11 21:41:26.078078361 +0100 @@ -1,0 +2,15 @@ +Fri Mar 11 03:15:25 UTC 2022 - wbr...@suse.de + +- Update to version 20220311: + * Assigned RUSTSEC-2022-0013 to regex (#1208) + * add cve-2022-24713 (#1207) + * mark RUSTSEC-2021-0019 fixed, add references (#1206) + * RUSTSEC-2021-0134: Remove recursive_reference from the list of alternatives (#1200) + * Assigned RUSTSEC-2022-0012 to arrow2 (#1205) + * Added advisory for `arrow2::ffi::Ffi_ArrowArray` double free (#1204) + * Assigned RUSTSEC-2022-0011 to rust-crypto (#1202) + * `rust-crypto`: miscomputation when performing AES encryption (#1201) + * Update RUSTSEC-2020-0150.md (#1199) + * Assigned RUSTSEC-2022-0010 to enum-map (#1198) + +------------------------------------------------------------------- Old: ---- advisory-db-20220215.tar.xz New: ---- advisory-db-20220311.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cargo-audit-advisory-db.spec ++++++ --- /var/tmp/diff_new_pack.d0oliw/_old 2022-03-11 21:41:26.630078785 +0100 +++ /var/tmp/diff_new_pack.d0oliw/_new 2022-03-11 21:41:26.634078787 +0100 @@ -17,7 +17,7 @@ Name: cargo-audit-advisory-db -Version: 20220215 +Version: 20220311 Release: 0 Summary: A database of known security issues for Rust depedencies License: CC0-1.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.d0oliw/_old 2022-03-11 21:41:26.666078813 +0100 +++ /var/tmp/diff_new_pack.d0oliw/_new 2022-03-11 21:41:26.670078815 +0100 @@ -2,7 +2,7 @@ <service mode="disabled" name="obs_scm"> <param name="url">https://github.com/RustSec/advisory-db.git</param> <param name="scm">git</param> - <param name="version">20220215</param> + <param name="version">20220311</param> <param name="revision">master</param> <param name="changesgenerate">enable</param> <param name="changesauthor">wbr...@suse.de</param> ++++++ advisory-db-20220215.tar.xz -> advisory-db-20220311.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220215/.duplicate-id-guard new/advisory-db-20220311/.duplicate-id-guard --- old/advisory-db-20220215/.duplicate-id-guard 2022-02-09 15:34:03.000000000 +0100 +++ new/advisory-db-20220311/.duplicate-id-guard 2022-03-08 16:14:30.000000000 +0100 @@ -1,3 +1,3 @@ This file causes merge conflicts if two ID assignment jobs run concurrently. This prevents duplicate ID assignment due to a race between those jobs. -5518448e55d2a585c2a6276dba5d12fb0afe464d10790643ed57c0a18c53a126 - +f551fc85bdd3f40721d0af2ced95b014fb1dfca6b86634824e8ca8f7fc128cd2 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220215/crates/arrow2/RUSTSEC-2022-0012.md new/advisory-db-20220311/crates/arrow2/RUSTSEC-2022-0012.md --- old/advisory-db-20220215/crates/arrow2/RUSTSEC-2022-0012.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20220311/crates/arrow2/RUSTSEC-2022-0012.md 2022-03-08 16:14:30.000000000 +0100 @@ -0,0 +1,24 @@ +```toml +[advisory] +id = "RUSTSEC-2022-0012" +package = "arrow2" +date = "2022-03-04" +url = "https://github.com/jorgecarleitao/arrow2/issues/880" +categories = ["memory-corruption"] + +[versions] +patched = [">= 0.7.1, < 0.8", ">= 0.8.2, < 0.9", ">= 0.9.2, < 0.10"] +``` + +# Arrow2 allows double free in `safe` code + +The struct `Ffi_ArrowArray` implements `#derive(Clone)` that is inconsistent with +its custom implementation of `Drop`, resulting in a double free when cloned. + +Cloning this struct in `safe` results in a segmentation fault, which is unsound. + +This derive was removed from this struct. All users are advised to either: +* bump the patch version of this crate (for versions `v0.7,v0.8,v0.9`), or +* migrate to a more recent version of the crate (when using `<0.7`). + +Doing so elimitates this vulnerability (code no longer compiles). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220215/crates/disrustor/RUSTSEC-2020-0150.md new/advisory-db-20220311/crates/disrustor/RUSTSEC-2020-0150.md --- old/advisory-db-20220215/crates/disrustor/RUSTSEC-2020-0150.md 2022-02-09 15:34:03.000000000 +0100 +++ new/advisory-db-20220311/crates/disrustor/RUSTSEC-2020-0150.md 2022-03-08 16:14:30.000000000 +0100 @@ -9,7 +9,7 @@ cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" [versions] -patched = [] +patched = [">= 0.3"] ``` # RingBuffer can create multiple mutable references and cause data races diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220215/crates/enum-map/RUSTSEC-2022-0010.md new/advisory-db-20220311/crates/enum-map/RUSTSEC-2022-0010.md --- old/advisory-db-20220215/crates/enum-map/RUSTSEC-2022-0010.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20220311/crates/enum-map/RUSTSEC-2022-0010.md 2022-03-08 16:14:30.000000000 +0100 @@ -0,0 +1,56 @@ +```toml +[advisory] +id = "RUSTSEC-2022-0010" +package = "enum-map" +date = "2022-02-17" +url = "https://gitlab.com/KonradBorowski/enum-map/-/blob/master/CHANGELOG.md#version-202" +categories = ["code-execution", "memory-corruption", "memory-exposure"] +informational = "unsound" + +[versions] +patched = [">= 2.0.2"] +unaffected = ["< 2.0.0-2"] +``` + +# enum_map macro can cause UB when `Enum` trait is incorrectly implemented + +Affected versions of this crate did not properly check the length of an enum when using `enum_map!` macro, trusting user-provided length. + +When the `LENGTH` in the `Enum` trait does not match the array length in the `EnumArray` trait, this can result in the initialization of the enum map with uninitialized types, which in turn can allow an attacker to execute arbitrary code. + +This problem can only occur with a manual implementation of the Enum trait, it will never occur for enums that use `#[derive(Enum)]`. + +Example code that triggers this vulnerability looks like this: + +```rust +enum E { + A, + B, + C, +} + +impl Enum for E { + const LENGTH: usize = 2; + + fn from_usize(value: usize) -> E { + match value { + 0 => E::A, + 1 => E::B, + 2 => E::C, + _ => unimplemented!(), + } + } + + fn into_usize(self) -> usize { + self as usize + } +} + +impl<V> EnumArray<V> for E { + type Array = [V; 3]; +} + +let _map: EnumMap<E, String> = enum_map! { _ => "Hello, world!".into() }; +``` + +The flaw was corrected in commit [b824e23](https://gitlab.com/KonradBorowski/enum-map/-/commit/b824e232f2fb47837740070096ac253df8e80dfc) by putting `LENGTH` property on sealed trait for macro to read. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220215/crates/regex/RUSTSEC-2022-0013.md new/advisory-db-20220311/crates/regex/RUSTSEC-2022-0013.md --- old/advisory-db-20220215/crates/regex/RUSTSEC-2022-0013.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20220311/crates/regex/RUSTSEC-2022-0013.md 2022-03-08 16:14:30.000000000 +0100 @@ -0,0 +1,65 @@ +```toml +[advisory] +id = "RUSTSEC-2022-0013" +package = "regex" +date = "2022-03-08" +url = "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" +categories = ["denial-of-service"] +aliases = ["CVE-2022-24713"] +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + +[versions] +patched = [">= 1.5.5"] +``` + +# Regexes with large repetitions on empty sub-expressions take a very long time to parse + +The Rust Security Response WG was notified that the `regex` crate did not +properly limit the complexity of the regular expressions (regex) it parses. An +attacker could use this security issue to perform a denial of service, by +sending a specially crafted regex to a service accepting untrusted regexes. No +known vulnerability is present when parsing untrusted input with trusted +regexes. + +This issue has been assigned CVE-2022-24713. The severity of this vulnerability +is "high" when the `regex` crate is used to parse untrusted regexes. Other uses +of the `regex` crate are not affected by this vulnerability. + +## Overview + +The `regex` crate features built-in mitigations to prevent denial of service +attacks caused by untrusted regexes, or untrusted input matched by trusted +regexes. Those (tunable) mitigations already provide sane defaults to prevent +attacks. This guarantee is documented and it's considered part of the crate's +API. + +Unfortunately a bug was discovered in the mitigations designed to prevent +untrusted regexes to take an arbitrary amount of time during parsing, and it's +possible to craft regexes that bypass such mitigations. This makes it possible +to perform denial of service attacks by sending specially crafted regexes to +services accepting user-controlled, untrusted regexes. + +## Affected versions + +All versions of the `regex` crate before or equal to 1.5.4 are affected by this +issue. The fix is include starting from `regex` 1.5.5. + +## Mitigations + +We recommend everyone accepting user-controlled regexes to upgrade immediately +to the latest version of the `regex` crate. + +Unfortunately there is no fixed set of problematic regexes, as there are +practically infinite regexes that could be crafted to exploit this +vulnerability. Because of this, we do not recommend denying known problematic +regexes. + +## Acknowledgements + +We want to thank Addison Crump for responsibly disclosing this to us according +to the [Rust security policy][1], and for helping review the fix. + +We also want to thank Andrew Gallant for developing the fix, and Pietro Albini +for coordinating the disclosure and writing this advisory. + +[1]: https://www.rust-lang.org/policies/security diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220215/crates/rental/RUSTSEC-2021-0134.md new/advisory-db-20220311/crates/rental/RUSTSEC-2021-0134.md --- old/advisory-db-20220215/crates/rental/RUSTSEC-2021-0134.md 2022-02-09 15:34:03.000000000 +0100 +++ new/advisory-db-20220311/crates/rental/RUSTSEC-2021-0134.md 2022-03-08 16:14:30.000000000 +0100 @@ -17,6 +17,5 @@ Maintained alternatives include: * [`ouroboros`](https://crates.io/crates/ouroboros) -* [`recursive_reference`](https://crates.io/crates/recursive_reference) * [`fortify`](https://crates.io/crates/fortify) * [`escher`](https://crates.io/crates/escher) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220215/crates/rust-crypto/RUSTSEC-2022-0011.md new/advisory-db-20220311/crates/rust-crypto/RUSTSEC-2022-0011.md --- old/advisory-db-20220215/crates/rust-crypto/RUSTSEC-2022-0011.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20220311/crates/rust-crypto/RUSTSEC-2022-0011.md 2022-03-08 16:14:30.000000000 +0100 @@ -0,0 +1,132 @@ +```toml +[advisory] +id = "RUSTSEC-2022-0011" + +package = "rust-crypto" + +date = "2022-02-28" + +categories = ["crypto-failure"] + +keywords = ["aesni"] + +[versions] +patched = [] +``` + +# Miscomputation when performing AES encryption in rust-crypto + +The following Rust program demonstrates some strangeness in AES encryption - if you have an immutable key slice and then operate on that slice, you get different encryption output than if you operate on a copy of that key. + +For these functions, we expect that extending a 16 byte key to a 32 byte key by repeating it gives the same encrypted data, because the underlying rust-crypto functions repeat key data up to the necessary key size for the cipher. + +```rust +use crypto::{ + aes, blockmodes, buffer, + buffer::{BufferResult, ReadBuffer, WriteBuffer}, + symmetriccipher, +}; + +fn encrypt( + key: &[u8], + iv: &[u8], + data: &str, +) -> Result<String, symmetriccipher::SymmetricCipherError> { + let mut encryptor = + aes::cbc_encryptor(aes::KeySize::KeySize256, key, iv, blockmodes::PkcsPadding); + + let mut encrypted_data = Vec::<u8>::new(); + let mut read_buffer = buffer::RefReadBuffer::new(data.as_bytes()); + let mut buffer = [0; 4096]; + let mut write_buffer = buffer::RefWriteBuffer::new(&mut buffer); + + loop { + let result = encryptor.encrypt(&mut read_buffer, &mut write_buffer, true)?; + + encrypted_data.extend( + write_buffer + .take_read_buffer() + .take_remaining() + .iter() + .copied(), + ); + + match result { + BufferResult::BufferUnderflow => break, + BufferResult::BufferOverflow => {} + } + } + + Ok(hex::encode(encrypted_data)) +} + +fn working() { + let data = "data"; + let iv = [ + 0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7, 0xF8, 0xF9, 0xFA, 0xFB, 0xFC, 0xFD, 0xFE, + 0xFF, + ]; + let key = [ + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, + 0x0F, + ]; + // The copy here makes the code work. + let key_copy = key; + let key2: Vec<u8> = key_copy.iter().cycle().take(32).copied().collect(); + println!("key1:{} key2: {}", hex::encode(&key), hex::encode(&key2)); + + let x1 = encrypt(&key, &iv, data).unwrap(); + println!("X1: {}", x1); + + let x2 = encrypt(&key2, &iv, data).unwrap(); + println!("X2: {}", x2); + + assert_eq!(x1, x2); +} + +fn broken() { + let data = "data"; + let iv = [ + 0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7, 0xF8, 0xF9, 0xFA, 0xFB, 0xFC, 0xFD, 0xFE, + 0xFF, + ]; + let key = [ + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, + 0x0F, + ]; + // This operation shouldn't affect the contents of key at all. + let key2: Vec<u8> = key.iter().cycle().take(32).copied().collect(); + println!("key1:{} key2: {}", hex::encode(&key), hex::encode(&key2)); + + let x1 = encrypt(&key, &iv, data).unwrap(); + println!("X1: {}", x1); + + let x2 = encrypt(&key2, &iv, data).unwrap(); + println!("X2: {}", x2); + + assert_eq!(x1, x2); +} + +fn main() { + working(); + broken(); +} +``` + +The output from this program: + +```shell + Running `target/host/debug/rust-crypto-test` +key1:000102030405060708090a0b0c0d0e0f key2: 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f +X1: 90462bbe32965c8e7ea0addbbed4cddb +X2: 90462bbe32965c8e7ea0addbbed4cddb +key1:000102030405060708090a0b0c0d0e0f key2: 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f +X1: 26e847e5e7df1947bf82a650548a7d5b +X2: 90462bbe32965c8e7ea0addbbed4cddb +thread 'main' panicked at 'assertion failed: `(left == right)` + left: `"26e847e5e7df1947bf82a650548a7d5b"`, + right: `"90462bbe32965c8e7ea0addbbed4cddb"`', src/main.rs:83:5 +``` + +Notably, the X1 key in the `broken()` test changes every time after rerunning the program. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220215/crates/xcb/RUSTSEC-2021-0019.md new/advisory-db-20220311/crates/xcb/RUSTSEC-2021-0019.md --- old/advisory-db-20220215/crates/xcb/RUSTSEC-2021-0019.md 2022-02-09 15:34:03.000000000 +0100 +++ new/advisory-db-20220311/crates/xcb/RUSTSEC-2021-0019.md 2022-03-08 16:14:30.000000000 +0100 @@ -10,10 +10,11 @@ ] date = "2021-02-04" url = "https://github.com/RustSec/advisory-db/issues/653" +references = ["https://github.com/rust-x-bindings/rust-xcb/issues/78", "https://github.com/rust-x-bindings/rust-xcb/issues/94", "https://github.com/rust-x-bindings/rust-xcb/issues/95", "https://github.com/rust-x-bindings/rust-xcb/issues/96"] categories = ["memory-corruption", "memory-exposure"] [versions] -patched = [] +patched = [">= 1.0"] ``` # Multiple soundness issues @@ -26,7 +27,7 @@ null bytes, but otherwise allows any X11 client to create an atom for arbitrary bytes. -This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/96 +This issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/96 ## `xcb::xproto::GetPropertyReply::value()` allows arbitrary return types @@ -37,7 +38,7 @@ The users of the `xcb` crate are advised to only call this function with the intended types. These are `u8`, `u16`, and `u32`. -This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/95 +This issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/95 ## Out of bounds read in `xcb::xproto::change_property()` @@ -53,7 +54,7 @@ The users of the `xcb` crate are advised to only call this function with one of the intended argument combinations. -This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/94 +This issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/94 ## 'Safe' wrapper around `std::mem::transmute()` @@ -69,4 +70,4 @@ Users are advised to only cast to the event structs provided by the `xcb` crate (and hope for the best). -This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/78 +This issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/78