Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2023-04-13 14:10:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.19717 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Thu Apr 13 14:10:49 2023 rev:30 rq:1078825 version:20230413
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2023-02-23 16:53:28.181157874 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.19717/cargo-audit-advisory-db.changes
2023-04-13 14:10:54.720353234 +0200
@@ -1,0 +2,15 @@
+Thu Apr 13 01:00:08 UTC 2023 - william.br...@suse.com
+
+- Update to version 20230413:
+ * Bump peter-evans/create-pull-request from 4 to 5 (#1677)
+ * Withdraw RUSTSEC-2021-0147 (#1676)
+ * Assigned RUSTSEC-2023-0032 to ntru (#1674)
+ * Add unsound ntru (#1652)
+ * Assigned RUSTSEC-2023-0031 to spin (#1673)
+ * Added unsound `spin` (#1671)
+ * Assigned RUSTSEC-2023-0030 to versionize (#1669)
+ * Add advisory for versionize crate (#1662)
+ * Assigned RUSTSEC-2023-0029 to nats (#1668)
+ * Fix `nats` directory (#1667)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20230223.tar.xz
New:
----
advisory-db-20230413.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.4ljuLg/_old 2023-04-13 14:10:56.164361525 +0200
+++ /var/tmp/diff_new_pack.4ljuLg/_new 2023-04-13 14:10:56.168361548 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20230223
+Version: 20230413
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.4ljuLg/_old 2023-04-13 14:10:56.196361709 +0200
+++ /var/tmp/diff_new_pack.4ljuLg/_new 2023-04-13 14:10:56.200361732 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20230223</param>
+ <param name="version">20230413</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">william.br...@suse.com</param>
++++++ advisory-db-20230223.tar.xz -> advisory-db-20230413.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230223/.duplicate-id-guard
new/advisory-db-20230413/.duplicate-id-guard
--- old/advisory-db-20230223/.duplicate-id-guard 2023-02-14
13:38:31.000000000 +0100
+++ new/advisory-db-20230413/.duplicate-id-guard 2023-04-10
17:47:56.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-1d62e76ee351b7c3b8588635db0fe94bdf0aee8ff48199cb635aaf3468945844 -
+7de8d28e9de5141ab2c6b113aa3f887c5625e6644bd2c9375ba45f7360359e8d -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/.github/workflows/assign-ids.yml
new/advisory-db-20230413/.github/workflows/assign-ids.yml
--- old/advisory-db-20230223/.github/workflows/assign-ids.yml 2023-02-14
13:38:31.000000000 +0100
+++ new/advisory-db-20230413/.github/workflows/assign-ids.yml 2023-04-10
17:47:56.000000000 +0200
@@ -19,8 +19,9 @@
- name: Install rustsec-admin
run: |
- if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.8.5
+ VERSION="0.8.5"
+ if ! ( rustsec-admin --version | grep -q "$VERSION" ); then
+ cargo install rustsec-admin --force --vers "$VERSION"
fi
- name: Assign IDs
@@ -36,7 +37,7 @@
ls -R ./crates/ ./rust/ | sha256sum >> .duplicate-id-guard
- name: Create pull request
- uses: peter-evans/create-pull-request@v4
+ uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: ${{ steps.assign.outputs.commit_message }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/.github/workflows/export-osv.yml
new/advisory-db-20230413/.github/workflows/export-osv.yml
--- old/advisory-db-20230223/.github/workflows/export-osv.yml 2023-02-14
13:38:31.000000000 +0100
+++ new/advisory-db-20230413/.github/workflows/export-osv.yml 2023-04-10
17:47:56.000000000 +0200
@@ -16,8 +16,9 @@
path: ~/.cargo/bin
key: rustsec-admin-v0.8.5
- run: |
- if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.8.5
+ VERSION="0.8.5"
+ if ! ( rustsec-admin --version | grep -q "$VERSION" ); then
+ cargo install rustsec-admin --force --vers "$VERSION"
fi
mkdir -p crates
rustsec-admin osv crates
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/.github/workflows/publish-web.yml
new/advisory-db-20230413/.github/workflows/publish-web.yml
--- old/advisory-db-20230223/.github/workflows/publish-web.yml 2023-02-14
13:38:31.000000000 +0100
+++ new/advisory-db-20230413/.github/workflows/publish-web.yml 2023-04-10
17:47:56.000000000 +0200
@@ -16,8 +16,9 @@
path: ~/.cargo/bin
key: rustsec-admin-v0.8.5
- run: |
- if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.8.5
+ VERSION="0.8.5"
+ if ! ( rustsec-admin --version | grep -q "$VERSION" ); then
+ cargo install rustsec-admin --force --vers "$VERSION"
fi
rustsec-admin web .
git config user.name github-actions
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230223/.github/workflows/validate.yml
new/advisory-db-20230413/.github/workflows/validate.yml
--- old/advisory-db-20230223/.github/workflows/validate.yml 2023-02-14
13:38:31.000000000 +0100
+++ new/advisory-db-20230413/.github/workflows/validate.yml 2023-04-10
17:47:56.000000000 +0200
@@ -20,8 +20,9 @@
- name: Install rustsec-admin
run: |
- if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.8.5
+ VERSION="0.8.5"
+ if ! ( rustsec-admin --version | grep -q "$VERSION" ); then
+ cargo install rustsec-admin --force --vers "$VERSION"
fi
- name: Lint advisories
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20230223/README.md
new/advisory-db-20230413/README.md
--- old/advisory-db-20230223/README.md 2023-02-14 13:38:31.000000000 +0100
+++ new/advisory-db-20230413/README.md 2023-04-10 17:47:56.000000000 +0200
@@ -1,7 +1,7 @@
# RustSec Advisory Database
[![Build Status][build-image]][build-link]
-![Maintained: Q2 2022][maintained-image]
+![Maintained: Q1 2023][maintained-image]
[![Project Chat][chat-image]][chat-link]
The RustSec Advisory Database is a repository of security advisories filed
@@ -137,7 +137,7 @@
[build-image]:
https://github.com/rustsec/advisory-db/workflows/Validate/badge.svg
[build-link]: https://github.com/rustsec/advisory-db/actions
-[maintained-image]: https://img.shields.io/maintenance/yes/2022.svg
+[maintained-image]: https://img.shields.io/maintenance/yes/2023.svg
[chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg
[chat-link]:
https://rust-lang.zulipchat.com/#narrow/stream/146229-wg-secure-code/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/ascii/RUSTSEC-2023-0015.md
new/advisory-db-20230413/crates/ascii/RUSTSEC-2023-0015.md
--- old/advisory-db-20230223/crates/ascii/RUSTSEC-2023-0015.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/ascii/RUSTSEC-2023-0015.md 2023-04-10
17:47:56.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0015"
+package = "ascii"
+date = "2023-02-25"
+url = "https://github.com/tomprogrammer/rust-ascii/issues/64";
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["ascii"]
+[versions]
+patched = [">= 0.9.3"]
+unaffected = ["<= 0.6.0"]
+```
+
+# Ascii allows out-of-bounds array indexing in safe code
+
+Affected version of this crate had implementation of `From<&mut AsciiStr>` for
`&mut [u8]` and `&mut str`. This can result in out-of-bounds array indexing in
safe code.
+
+The flaw was corrected in commit
[8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc)
by removing those impls.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/async-nats/RUSTSEC-2023-0027.md
new/advisory-db-20230413/crates/async-nats/RUSTSEC-2023-0027.md
--- old/advisory-db-20230223/crates/async-nats/RUSTSEC-2023-0027.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/async-nats/RUSTSEC-2023-0027.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,37 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0027"
+package = "async-nats"
+date = "2023-03-24"
+url =
"https://github.com/nats-io/nats.rs/commit/817a7b942c462fa9d9938dcb62124173634132fb#diff-767d442397fcaaf2f83e8f924d4a70317a2ce4703a49964d6007707949cfa5f5L303-R304";
+categories = ["crypto-failure"]
+keywords = ["tls", "mitm"]
+
+[versions]
+patched = [">= 0.29.0"]
+```
+
+# TLS certificate common name validation bypass
+
+The NATS official Rust clients are vulnerable to MitM when using TLS.
+
+The common name of the server's TLS certificate is validated against
+the `host`name provided by the server's plaintext `INFO` message
+during the initial connection setup phase. A MitM proxy can tamper with
+the `host` field's value by substituting it with the common name of a
+valid certificate it controls, fooling the client into accepting it.
+
+## Reproduction steps
+
+1. The NATS Rust client tries to establish a new connection
+2. The connection is intercepted by a MitM proxy
+3. The proxy makes a separate connection to the NATS server
+4. The NATS server replies with an `INFO` message
+5. The proxy reads the `INFO`, alters the `host` JSON field and passes
+ the tampered `INFO` back to the client
+6. The proxy upgrades the client connection to TLS, presenting a certificate
issued
+ by a certificate authority present in the client's keychain.
+ In the previous step the `host` was set to the common name of said
certificate
+7. `rustls` accepts the certificate, having verified that the common name
matches the
+ attacker-controlled value it was given
+9. The client has been fooled by the MitM proxy into accepting the
attacker-controlled certificate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/boxfnonce/RUSTSEC-2019-0040.md
new/advisory-db-20230413/crates/boxfnonce/RUSTSEC-2019-0040.md
--- old/advisory-db-20230223/crates/boxfnonce/RUSTSEC-2019-0040.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/boxfnonce/RUSTSEC-2019-0040.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2019-0040"
+package = "boxfnonce"
+date = "2019-06-20"
+url =
"https://github.com/stbuehler/rust-boxfnonce/commit/058ac7e1a7d732076da9d8a37baa66bcb67758d8";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `boxfnonce` obsolete with release of Rust 1.35.0
+
+[This](https://github.com/stbuehler/rust-boxfnonce/commit/058ac7e1a7d732076da9d8a37baa66bcb67758d8)
commit marks the `boxfnonce` crate as obsolete and the GitHub repo has since
been archived.
+
+The functionality of `boxfnonce` has been added to Rust since 1.35.0. Use
`Box<dyn FnOnce(...) -> ...>`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/buf_redux/RUSTSEC-2023-0028.md
new/advisory-db-20230413/crates/buf_redux/RUSTSEC-2023-0028.md
--- old/advisory-db-20230223/crates/buf_redux/RUSTSEC-2023-0028.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/buf_redux/RUSTSEC-2023-0028.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,32 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0028"
+package = "buf_redux"
+date = "2023-01-24"
+url = "https://github.com/abonander/buf_redux/issues";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# buf_redux is Unmaintained
+
+Last release was over three years ago.
+
+The maintainer(s) have been unreachable to respond to any issues that may or
may not include security issues.
+
+The repository is now archived and there is no security policy in place to
contact the maintainer(s) otherwise.
+
+The safety-undocumented unsafe in the crate may or may not be safe to use.
+
+The crate also has a current future incompatibility warning
[buf_redux/23](https://github.com/abonander/buf_redux/issues/23).
+
+## Possible Alternatives
+
+The below may or may not provide alternative(s)
+
+- Rust alloc / std vec::Vec, collections::VecDeque
+- [buffer-redux](https://crates.io/crates/buffer-redux) - fork
+- [bytes](https://crates.io/crates/bytes)
+- [crates.io search for 'buffer'](https://crates.io/keywords/buffer)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/const-cstr/RUSTSEC-2023-0020.md
new/advisory-db-20230413/crates/const-cstr/RUSTSEC-2023-0020.md
--- old/advisory-db-20230223/crates/const-cstr/RUSTSEC-2023-0020.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/const-cstr/RUSTSEC-2023-0020.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,40 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0020"
+package = "const-cstr"
+date = "2023-03-12"
+url = "https://github.com/abonander/const-cstr";
+informational = "unsound"
+
+[versions]
+patched = []
+```
+
+# const-cstr is Unmaintained
+
+Last release was about five years ago.
+
+The maintainer(s) have been unreachable to respond to any issues that may or
may not include security issues.
+
+The repository is now archived and there is no security policy in place to
contact the maintainer(s) otherwise.
+
+No direct fork exist.
+
+# const-cstr is Unsound
+
+The crate violates the safety contract of
[ffi::CStr::from_bytes_with_nul_unchecked](https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_bytes_with_nul_unchecked)
used in `ConstCStr::as_cstr`
+
+No interior nul bytes checking is done either by the constructor or the
canonical macro to create the `ConstCStr`
+
+# const-cstr Panic
+
+Additionally the crate may cause runtime panics if statically compiled and ran
with any untrusted data that is not nul-terminated.
+
+This is however unlikely but the the crate should not be used for untrusted
data in context where panic may create a DoS vector.
+
+## Possible Alternatives
+
+The below may or may not provide alternative(s)
+
+-
[const_str::cstr!](https://docs.rs/const-str/latest/const_str/macro.cstr.html)
+- [cstr::cstr!](https://crates.io/crates/cstr)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/daemonize/RUSTSEC-2021-0147.md
new/advisory-db-20230413/crates/daemonize/RUSTSEC-2021-0147.md
--- old/advisory-db-20230223/crates/daemonize/RUSTSEC-2021-0147.md
2023-02-14 13:38:31.000000000 +0100
+++ new/advisory-db-20230413/crates/daemonize/RUSTSEC-2021-0147.md
2023-04-10 17:47:56.000000000 +0200
@@ -3,6 +3,7 @@
id = "RUSTSEC-2021-0147"
package = "daemonize"
date = "2021-09-01"
+withdrawn = "2023-02-19"
url = "https://github.com/knsd/daemonize/issues/46";
informational = "unmaintained"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/encoding/RUSTSEC-2021-0153.md
new/advisory-db-20230413/crates/encoding/RUSTSEC-2021-0153.md
--- old/advisory-db-20230223/crates/encoding/RUSTSEC-2021-0153.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/encoding/RUSTSEC-2021-0153.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0153"
+package = "encoding"
+date = "2021-12-05"
+url = "https://github.com/lifthrasiir/rust-encoding/issues/127";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `encoding` is unmaintained
+
+Last release was on 2016-08-28. The
[issue](https://github.com/lifthrasiir/rust-encoding/issues/127) inquiring as
to the status of the crate has gone unanswered by the maintainer.
+
+## Possible alternatives
+
+- [encoding_rs](https://crates.io/crates/encoding_rs)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/git-hash/RUSTSEC-2023-0025.md
new/advisory-db-20230413/crates/git-hash/RUSTSEC-2023-0025.md
--- old/advisory-db-20230223/crates/git-hash/RUSTSEC-2023-0025.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/git-hash/RUSTSEC-2023-0025.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0025"
+package = "git-hash"
+date = "2023-03-14"
+url = "https://github.com/Byron/gitoxide/pull/741";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# Gitoxide has renamed its crates.
+
+All crates in the gitoxide project have been renamed from git-<crate> to
+gix-<crate>. The git- prefixed crates are no longer being updated. Switch
+to using gix-hash to continue receiving updates.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/git-path/RUSTSEC-2023-0026.md
new/advisory-db-20230413/crates/git-path/RUSTSEC-2023-0026.md
--- old/advisory-db-20230223/crates/git-path/RUSTSEC-2023-0026.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/git-path/RUSTSEC-2023-0026.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0026"
+package = "git-path"
+date = "2023-03-14"
+url = "https://github.com/Byron/gitoxide/pull/741";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# Gitoxide has renamed its crates.
+
+All crates in the gitoxide project have been renamed from git-<crate> to
+gix-<crate>. The git- prefixed crates are no longer being updated. Switch
+to using gix-path to continue receiving updates.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/kuchiki/RUSTSEC-2023-0019.md
new/advisory-db-20230413/crates/kuchiki/RUSTSEC-2023-0019.md
--- old/advisory-db-20230223/crates/kuchiki/RUSTSEC-2023-0019.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/kuchiki/RUSTSEC-2023-0019.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0019"
+package = "kuchiki"
+date = "2023-01-21"
+url =
"https://github.com/kuchiki-rs/kuchiki/commit/f92e4c047fdc30619555da282ac7ccce1d313aa6";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `kuchiki` is unmaintained
+
+The `kuchiki` repo was marked as archived in
[this](https://github.com/kuchiki-rs/kuchiki/commit/f92e4c047fdc30619555da282ac7ccce1d313aa6)
commit.
+
+## Possible Alternatives
+
+Possible alternatives may include:
+
+- [html5ever](https://crates.io/crates/html5ever)
+- [xml-rs](https://crates.io/crates/xml-rs)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/mach/RUSTSEC-2020-0168.md
new/advisory-db-20230413/crates/mach/RUSTSEC-2020-0168.md
--- old/advisory-db-20230223/crates/mach/RUSTSEC-2020-0168.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/mach/RUSTSEC-2020-0168.md 2023-04-10
17:47:56.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2020-0168"
+package = "mach"
+date = "2020-07-14"
+url = "https://github.com/fitzgen/mach/issues/63";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# mach is unmaintained
+
+
+Last release was almost 4 years ago.
+
+Maintainer(s) seem to be completely unreachable.
+
+## Possible Alternative(s)
+
+These may or may not be suitable alternatives and have not been vetted in any
way;
+- [mach2](https://crates.io/crates/mach2) - direct fork
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/maligned/RUSTSEC-2023-0017.md
new/advisory-db-20230413/crates/maligned/RUSTSEC-2023-0017.md
--- old/advisory-db-20230223/crates/maligned/RUSTSEC-2023-0017.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/maligned/RUSTSEC-2023-0017.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0017"
+package = "maligned"
+date = "2023-03-04"
+url = "https://github.com/tylerhawkes/maligned/issues/5";
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["unsound", "alloc", "align"]
+
+[versions]
+patched = []
+unaffected = []
+
+[affected.functions]
+"maligned::align_first" = ["*"]
+"maligned::align_first_boxed" = ["*"]
+"maligned::align_first_boxed_cloned" = ["*"]
+"maligned::align_first_boxed_default" = ["*"]
+```
+
+# `maligned::align_first` causes incorrect deallocation
+
+`maligned::align_first` manually allocates with an alignment larger than T,
and then uses `Vec::from_raw_parts` on that allocation to get a `Vec<T>`.
+
+[`GlobalAlloc::dealloc`](https://doc.rust-lang.org/std/alloc/trait.GlobalAlloc.html#tymethod.dealloc)
requires that the `layout` argument must be the same layout that was used to
allocate that block of memory.
+
+When deallocating, `Box` and `Vec` may not respect the specified alignment and
can cause undefined behavior.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/nats/RUSTSEC-2023-0029.md
new/advisory-db-20230413/crates/nats/RUSTSEC-2023-0029.md
--- old/advisory-db-20230223/crates/nats/RUSTSEC-2023-0029.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/nats/RUSTSEC-2023-0029.md 2023-04-10
17:47:56.000000000 +0200
@@ -0,0 +1,41 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0029"
+package = "nats"
+date = "2023-03-24"
+categories = ["crypto-failure"]
+keywords = ["tls", "mitm"]
+
+[versions]
+patched = []
+unaffected = ["< 0.9.0"]
+```
+
+# TLS certificate common name validation bypass
+
+The NATS official Rust clients are vulnerable to MitM when using TLS.
+
+A fix for the `nats` crate hasn't been released yet. Since the `nats` crate
+is going to be deprecated anyway, consider switching to `async-nats` `>= 0.29`
+which already fixed this vulnerability.
+
+The common name of the server's TLS certificate is validated against
+the `host`name provided by the server's plaintext `INFO` message
+during the initial connection setup phase. A MitM proxy can tamper with
+the `host` field's value by substituting it with the common name of a
+valid certificate it controls, fooling the client into accepting it.
+
+## Reproduction steps
+
+1. The NATS Rust client tries to establish a new connection
+2. The connection is intercepted by a MitM proxy
+3. The proxy makes a separate connection to the NATS server
+4. The NATS server replies with an `INFO` message
+5. The proxy reads the `INFO`, alters the `host` JSON field and passes
+ the tampered `INFO` back to the client
+6. The proxy upgrades the client connection to TLS, presenting a certificate
issued
+ by a certificate authority present in the client's keychain.
+ In the previous step the `host` was set to the common name of said
certificate
+7. `rustls` accepts the certificate, having verified that the common name
matches the
+ attacker-controlled value it was given
+9. The client has been fooled by the MitM proxy into accepting the
attacker-controlled certificate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/ncollide2d/RUSTSEC-2021-0151.md
new/advisory-db-20230413/crates/ncollide2d/RUSTSEC-2021-0151.md
--- old/advisory-db-20230223/crates/ncollide2d/RUSTSEC-2021-0151.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/ncollide2d/RUSTSEC-2021-0151.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0151"
+package = "ncollide2d"
+date = "2021-01-29"
+url = "https://github.com/dimforge/ncollide";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+# ncollide2d is unmaintained
+
+The maintainer has advised that this crate is passively-maintained and that it
+is being superseded by the [Parry](https://github.com/dimforge/parry) project.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/ncollide3d/RUSTSEC-2021-0150.md
new/advisory-db-20230413/crates/ncollide3d/RUSTSEC-2021-0150.md
--- old/advisory-db-20230223/crates/ncollide3d/RUSTSEC-2021-0150.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/ncollide3d/RUSTSEC-2021-0150.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0150"
+package = "ncollide3d"
+date = "2021-01-29"
+url = "https://github.com/dimforge/ncollide";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+# ncollide3d is unmaintained
+
+The maintainer has advised that this crate is passively-maintained and that it
+is being superseded by the [Parry](https://github.com/dimforge/parry) project.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/nphysics2d/RUSTSEC-2021-0149.md
new/advisory-db-20230413/crates/nphysics2d/RUSTSEC-2021-0149.md
--- old/advisory-db-20230223/crates/nphysics2d/RUSTSEC-2021-0149.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/nphysics2d/RUSTSEC-2021-0149.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0149"
+package = "nphysics2d"
+date = "2021-01-29"
+url = "https://github.com/dimforge/nphysics";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+# nphysics2d is unmaintained
+
+The maintainer has advised that this crate is passively-maintained and that it
+is being superseded by the [Rapier](https://github.com/dimforge/rapier)
project.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/nphysics3d/RUSTSEC-2021-0148.md
new/advisory-db-20230413/crates/nphysics3d/RUSTSEC-2021-0148.md
--- old/advisory-db-20230223/crates/nphysics3d/RUSTSEC-2021-0148.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/nphysics3d/RUSTSEC-2021-0148.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0148"
+package = "nphysics3d"
+date = "2021-01-29"
+url = "https://github.com/dimforge/nphysics";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+# nphysics3d is unmaintained
+
+The maintainer has advised that this crate is passively-maintained and that it
+is being superseded by the [Rapier](https://github.com/dimforge/rapier)
project.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/ntru/RUSTSEC-2023-0032.md
new/advisory-db-20230413/crates/ntru/RUSTSEC-2023-0032.md
--- old/advisory-db-20230223/crates/ntru/RUSTSEC-2023-0032.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/ntru/RUSTSEC-2023-0032.md 2023-04-10
17:47:56.000000000 +0200
@@ -0,0 +1,30 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0032"
+package = "ntru"
+date = "2023-03-22"
+url = "https://github.com/FrinkGlobal/ntru-rs/issues/8";
+categories = ["memory-corruption"]
+keywords = ["ffi", "buffer overflow"]
+informational = "unsound"
+
+[versions]
+patched = []
+
+[affected.functions]
+"ntru::types::PrivateKey::export" = [">= 0.4.3"]
+"ntru::types::PublicKey::export" = [">= 0.4.3"]
+```
+
+# Unsound FFI: Wrong API usage causes write past allocated area
+
+The following usage causes undefined behavior.
+```rust
+let kp: ntru::types::KeyPair = â¦;
+kp.get_public().export(Default::default())
+```
+
+When compiled with debug assertions, the code above will trigger a `attempt to
subtract with overflow` panic before UB occurs.
+Other mistakes (e.g. using `EncParams` from a different key) may always
trigger UB.
+
+Likely, older versions of this crate are also affected, but have not been
tested.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/openssl/RUSTSEC-2023-0022.md
new/advisory-db-20230413/crates/openssl/RUSTSEC-2023-0022.md
--- old/advisory-db-20230223/crates/openssl/RUSTSEC-2023-0022.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/openssl/RUSTSEC-2023-0022.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0022"
+package = "openssl"
+date = "2023-03-24"
+url = "https://github.com/sfackler/rust-openssl/pull/1854";
+categories = ["thread-safety"]
+
+[affected]
+functions = { "openssl::x509::X509NameBuilder::build" = ["< 0.10.48, >=0.9.7"]
}
+
+[versions]
+patched = [">= 0.10.48"]
+```
+
+# `openssl` `X509NameBuilder::build` returned object is not thread safe
+
+OpenSSL has a `modified` bit that it can set on on `X509_NAME` objects. If this
+bit is set then the object is not thread-safe even when it appears the code is
+not modifying the value.
+
+Thanks to David Benjamin (Google) for reporting this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/openssl/RUSTSEC-2023-0023.md
new/advisory-db-20230413/crates/openssl/RUSTSEC-2023-0023.md
--- old/advisory-db-20230223/crates/openssl/RUSTSEC-2023-0023.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/openssl/RUSTSEC-2023-0023.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0023"
+package = "openssl"
+date = "2023-03-24"
+url = "https://github.com/sfackler/rust-openssl/pull/1854";
+categories = ["file-disclosure"]
+
+[affected]
+functions = { "openssl::x509::extension::SubjectAlternativeName::new" = ["<
0.10.48, >=0.9.7"], "openssl::x509::extension::ExtendedKeyUsage::other" = ["<
0.10.48, >=0.9.7"] }
+
+[versions]
+patched = [">= 0.10.48"]
+```
+
+# `openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow
arbitrary file read
+
+`SubjectAlternativeName` and `ExtendedKeyUsage` arguments were parsed using
the OpenSSL
+function `X509V3_EXT_nconf`. This function parses all input using an OpenSSL
mini-language
+which can perform arbitrary file reads.
+
+Thanks to David Benjamin (Google) for reporting this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/openssl/RUSTSEC-2023-0024.md
new/advisory-db-20230413/crates/openssl/RUSTSEC-2023-0024.md
--- old/advisory-db-20230223/crates/openssl/RUSTSEC-2023-0024.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/openssl/RUSTSEC-2023-0024.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0024"
+package = "openssl"
+date = "2023-03-24"
+url = "https://github.com/sfackler/rust-openssl/pull/1854";
+categories = ["denial-of-service"]
+
+[affected]
+functions = { "openssl::x509::X509Extension::new" = ["< 0.10.48, >=0.9.7"],
"openssl::x509::X509Extension::new_nid" = ["< 0.10.48, >=0.9.7"] }
+
+[versions]
+patched = [">= 0.10.48"]
+```
+
+# `openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer
dereference
+
+These functions would crash when the context argument was None with certain
extension types.
+
+Thanks to David Benjamin (Google) for reporting this issue.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/out-reference/RUSTSEC-2021-0152.md
new/advisory-db-20230413/crates/out-reference/RUSTSEC-2021-0152.md
--- old/advisory-db-20230223/crates/out-reference/RUSTSEC-2021-0152.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/out-reference/RUSTSEC-2021-0152.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0152"
+package = "out-reference"
+date = "2021-01-20"
+url = "https://github.com/RustyYato/out-ref/issues/1";
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["unsound", "raw-pointer"]
+
+[versions]
+patched = [">= 0.2.0"]
+unaffected = ["< 0.1.0"]
+
+[affected.functions]
+"out_reference::Out::from_raw" = [">= 0.1.0, < 0.2.0"]
+```
+
+# `out_reference::Out::from_raw` should be `unsafe`
+
+`Out::from_raw` in affected versions allows writing a value to invalid memory
address without requiring `unsafe`.
+
+The soundness issue has been addressed by making `Out::from_raw` an unsafe
function.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/partial_sort/RUSTSEC-2023-0016.md
new/advisory-db-20230413/crates/partial_sort/RUSTSEC-2023-0016.md
--- old/advisory-db-20230223/crates/partial_sort/RUSTSEC-2023-0016.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/partial_sort/RUSTSEC-2023-0016.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0016"
+package = "partial_sort"
+date = "2023-02-20"
+url = "https://github.com/sundy-li/partial_sort/issues/7";
+informational = "unsound"
+categories = ["memory-exposure"]
+keywords = ["out-of-bounds read"]
+
+[versions]
+patched = [">= 0.2.0"]
+```
+
+# Possible out-of-bounds read in release mode
+
+Affected versions of this crate were using a debug assertion to validate the
+`last` parameter of `partial_sort()`. This would allow invalid inputs to cause
+an out-of-bounds read instead of immediately panicking, when compiled without
+debug assertions.
+
+All writes are bounds-checked, so the out-of-bounds memory access is read-only.
+This also means that the first attempted out-of-bounds write will panic,
+limiting the possible reads.
+
+The accessible region is further limited by an initial bounds-checked read
+at `(last / 2) - 1`, i.e., it is proportional to the size of the vector.
+
+This bug has been fixed in v0.2.0.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/remove_dir_all/RUSTSEC-2023-0018.md
new/advisory-db-20230413/crates/remove_dir_all/RUSTSEC-2023-0018.md
--- old/advisory-db-20230223/crates/remove_dir_all/RUSTSEC-2023-0018.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/remove_dir_all/RUSTSEC-2023-0018.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,67 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0018"
+package = "remove_dir_all"
+date = "2023-02-24"
+url =
"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead";
+references = ["https://github.com/advisories/GHSA-mc8h-8q98-g5hr";]
+keywords = ["TOCTOU"]
+aliases = ["GHSA-mc8h-8q98-g5hr"]
+
+[affected]
+functions = { "remove_dir_all::remove_dir_all" = ["< 0.8.0"],
"remove_dir_all::remove_dir_contents" = ["< 0.8.0"],
"remove_dir_all::ensure_empty_dir" = ["< 0.8.0"] }
+
+[versions]
+patched = [">= 0.8.0"]
+```
+
+# Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
+
+The remove_dir_all crate is a Rust library that offers additional features
over the Rust
+standard library fs::remove_dir_all function.
+
+It was possible to trick a privileged process doing a recursive delete in an
+attacker controlled directory into deleting privileged files, on all operating
systems.
+
+For instance, consider deleting a tree called 'etc' in a parent directory
+called 'p'. Between calling `remove_dir_all("a")` and remove_dir_all("a")
+actually starting its work, the attacker can move 'p' to 'p-prime', and
+replace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'
+which is actually /etc, and now your system is broken. There are some
+mitigations for this exact scenario, such as CWD relative file lookup, but
+they are not guaranteed - any code using absolute paths will not have that
+protection in place.
+
+The same attack could be performed at any point in the directory tree being
+deleted: if 'a' contains a child directory called 'etc', attacking the
+deletion by replacing 'a' with a link is possible.
+
+The new code in this release mitigates the attack within the directory tree
+being deleted by using file-handle relative operations: to open 'a/etc', the
+path 'etc' relative to 'a' is opened, where 'a' is represented by a file
+descriptor (Unix) or handle (Windows). With the exception of the entry points
+into the directory deletion logic, this is robust against manipulation of the
+directory hierarchy, and remove_dir_all will only delete files and directories
+contained in the tree it is deleting.
+
+The entry path however is a challenge - as described above, there are some
+potential mitigations, but since using them must be done by the calling code,
+it is hard to be confident about the security properties of the path based
+interface.
+
+The new extension trait `RemoveDir` provides an interface where it is much
+harder to get it wrong.
+
+`somedir.remove_dir_contents("name-of-child")`.
+
+Callers can then make their own security evaluation about how to securely get
+a directory handle. That is still not particularly obvious, and we're going to
+follow up with a helper of some sort (probably in the `fs_at` crate). Once
+that is available, the path based entry points will get deprecated.
+
+In the interim, processes that might run with elevated privileges should
+figure out how to securely identify the directory they are going to delete, to
+avoid the initial race. Pragmatically, other processes should be fine with the
+path based entry points : this is the same interface `std::fs::remove_dir_all`
+offers, and an unprivileged process running in an attacker controlled
+directory can't do anything that the attacker can't already do.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/rmp-serde/RUSTSEC-2022-0092.md
new/advisory-db-20230413/crates/rmp-serde/RUSTSEC-2022-0092.md
--- old/advisory-db-20230223/crates/rmp-serde/RUSTSEC-2022-0092.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/rmp-serde/RUSTSEC-2022-0092.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0092"
+package = "rmp-serde"
+date = "2022-04-13"
+url = "https://github.com/3Hren/msgpack-rust/issues/305";
+categories = ["memory-corruption"]
+informational = "unsound"
+
+[versions]
+patched = [">= 1.1.1"]
+```
+
+# `rmp-serde` `Raw` and `RawRef` unsound
+
+It was found that `Raw::from_utf8` expects valid UTF-8. If invalid UTF-8 is
received it can cause the process to crash.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/spin/RUSTSEC-2023-0031.md
new/advisory-db-20230413/crates/spin/RUSTSEC-2023-0031.md
--- old/advisory-db-20230223/crates/spin/RUSTSEC-2023-0031.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/spin/RUSTSEC-2023-0031.md 2023-04-10
17:47:56.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0031"
+package = "spin"
+date = "2023-03-31"
+informational = "unsound"
+url = "https://github.com/mvdnes/spin-rs/issues/148";
+
+[versions]
+patched = [">= 0.9.8"]
+unaffected = ["< 0.9.3"]
+```
+
+# Initialisation failure in `Once::try_call_once` can lead to undefined
behaviour for other initialisers
+
+`Once::try_call_once` is unsound if invoked more than once concurrently and
any call fails to initialise successfully.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/stb_image/RUSTSEC-2023-0021.md
new/advisory-db-20230413/crates/stb_image/RUSTSEC-2023-0021.md
--- old/advisory-db-20230223/crates/stb_image/RUSTSEC-2023-0021.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/stb_image/RUSTSEC-2023-0021.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0021"
+package = "stb_image"
+date = "2023-03-19"
+url = "https://github.com/servo/rust-stb-image/pull/102";
+categories = ["memory-corruption"]
+keywords = ["NULL-pointer-dereference"]
+
+[versions]
+patched = [">= 0.2.5"]
+```
+
+# NULL pointer derefernce in `stb_image`
+
+A bug in error handling in the `stb_image` C library could cause a NULL
pointer dereference when attempting to load an invalid or unsupported image
file. This is fixed in version 0.2.5 and later of the `stb_image` Rust crate,
by patching the C code to correctly handle NULL pointers.
+
+Thank you to GitHub user 0xdd96 for finding and fixing this vulnerability.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/tauri/RUSTSEC-2022-0091.md
new/advisory-db-20230413/crates/tauri/RUSTSEC-2022-0091.md
--- old/advisory-db-20230223/crates/tauri/RUSTSEC-2022-0091.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/tauri/RUSTSEC-2022-0091.md 2023-04-10
17:47:56.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0091"
+package = "tauri"
+date = "2022-09-19"
+url = "https://github.com/tauri-apps/tauri/issues/5234";
+categories = ["privilege-escalation"]
+aliases = ["CVE-2022-41874", "GHSA-q9wv-22m9-vhqh"]
+cvss = "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"
+
+[versions]
+patched = [">= 1.0.7, < 1.1.0", ">= 1.1.2"]
+unaffected = ["< 1.0.0"]
+```
+
+# `tauri` filesystem scope partial bypass
+
+A bug identified in [this](https://github.com/tauri-apps/tauri/issues/5234)
issue allows a partial filesystem scope bypass if glob characters are used
within file dialog or drag-and-drop functionalities.
+
+[This](https://github.com/tauri-apps/tauri/pull/5237) PR fixes the issue by
escaping glob characters.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/versionize/RUSTSEC-2023-0030.md
new/advisory-db-20230413/crates/versionize/RUSTSEC-2023-0030.md
--- old/advisory-db-20230223/crates/versionize/RUSTSEC-2023-0030.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230413/crates/versionize/RUSTSEC-2023-0030.md
2023-04-10 17:47:56.000000000 +0200
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0030"
+package = "versionize"
+date = "2023-03-24"
+url = "https://github.com/firecracker-microvm/versionize/pull/53";
+categories = ["memory-exposure"]
+cvss = "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L"
+
+aliases = ["GHSA-8vxc-r5wp-vgvc"]
+
+[affected]
+os = ["linux"]
+
+[versions]
+patched = [">= 0.1.10"]
+```
+
+# `Versionize::deserialize` implementation for `FamStructWrapper<T>` is
lacking bound checks, potentially leading to out of bounds memory accesses
+
+An issue was discovered in the `Versionize::deserialize` implementation
provided by the `versionize` crate for `vmm_sys_util::fam::FamStructWrapper`,
which can lead to out of bounds memory accesses. The impact started with
version 0.1.1. The issue was corrected in version 0.1.10 by inserting a check
that verifies, for any deserialized header, the lengths of compared flexible
arrays are equal and aborting deserialization otherwise.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20230223/crates/wasmtime/RUSTSEC-2022-0076.md
new/advisory-db-20230413/crates/wasmtime/RUSTSEC-2022-0076.md
--- old/advisory-db-20230223/crates/wasmtime/RUSTSEC-2022-0076.md
2023-02-14 13:38:31.000000000 +0100
+++ new/advisory-db-20230413/crates/wasmtime/RUSTSEC-2022-0076.md
2023-04-10 17:47:56.000000000 +0200
@@ -11,10 +11,11 @@
aliases = ["CVE-2022-39392", "GHSA-44mr-8vmm-wjhg"]
[versions]
-patched = [">= 2.0.2"]
+patched = [">= 1.0.2, < 2.0.0", ">= 2.0.2"]
-[affected]
-functions = { "wasmtime::PoolingAllocationConfig::instance_memory_pages" = ["<
2.0.2"] }
+[affected.functions]
+"wasmtime::PoolingAllocationConfig::instance_memory_pages" = [">= 2.0.0, <
2.0.2"]
+"wasmtime::Config::allocation_strategy" = ["< 1.0.2"]
```
# Bug in Wasmtime implementation of pooling instance allocator
