Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cargo-audit-advisory-db for openSUSE:Factory checked in at 2023-08-01 15:38:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old) and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.32662 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db" Tue Aug 1 15:38:38 2023 rev:34 rq:1101676 version:20230731 Changes: -------- --- /work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes 2023-07-11 15:57:29.921239566 +0200 +++ /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.32662/cargo-audit-advisory-db.changes 2023-08-01 15:38:40.441873868 +0200 @@ -1,0 +2,15 @@ +Mon Jul 31 04:07:19 UTC 2023 - william.br...@suse.com + +- Update to version 20230731: + * Update aliases from GHSA OSV export (#1734) + * Assigned RUSTSEC-2023-0048 to intaglio (#1733) + * Add advisory for unsoundness in intaglio symbol interners (#1732) + * Assigned RUSTSEC-2023-0047 to lmdb-rs (#1730) + * report unsoundness of lmdb-rs (#1724) + * Fix typos (#1729) + * Bump rustsec-admin to 0.8.6 (#1728) + * Update aliases from GHSA OSV export (#1727) + * Update RUSTSEC-2021-0145.md with stable IsTerminal (#1725) + * Assigned RUSTSEC-2023-0046 to cyfs-base (#1723) + +------------------------------------------------------------------- Old: ---- advisory-db-20230711.tar.xz New: ---- advisory-db-20230731.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cargo-audit-advisory-db.spec ++++++ --- /var/tmp/diff_new_pack.XziKuT/_old 2023-08-01 15:38:42.289885312 +0200 +++ /var/tmp/diff_new_pack.XziKuT/_new 2023-08-01 15:38:42.337885609 +0200 @@ -17,7 +17,7 @@ Name: cargo-audit-advisory-db -Version: 20230711 +Version: 20230731 Release: 0 Summary: A database of known security issues for Rust depedencies License: CC0-1.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.XziKuT/_old 2023-08-01 15:38:42.689887789 +0200 +++ /var/tmp/diff_new_pack.XziKuT/_new 2023-08-01 15:38:42.721887987 +0200 @@ -2,7 +2,7 @@ <service mode="disabled" name="obs_scm"> <param name="url">https://github.com/RustSec/advisory-db.git</param> <param name="scm">git</param> - <param name="version">20230711</param> + <param name="version">20230731</param> <param name="revision">main</param> <param name="changesgenerate">enable</param> <param name="changesauthor">william.br...@suse.com</param> ++++++ advisory-db-20230711.tar.xz -> advisory-db-20230731.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230711/.duplicate-id-guard new/advisory-db-20230731/.duplicate-id-guard --- old/advisory-db-20230711/.duplicate-id-guard 2023-07-08 16:04:33.000000000 +0200 +++ new/advisory-db-20230731/.duplicate-id-guard 2023-07-29 19:20:00.000000000 +0200 @@ -1,3 +1,3 @@ This file causes merge conflicts if two ID assignment jobs run concurrently. This prevents duplicate ID assignment due to a race between those jobs. -aee1905cc6111a8085b4836e39124a2cc0f34e8106f07f116df13ee0057dc8e3 - +c180e114f092d808a8efaab98d0138ec1d49f659bfc4edfb340dd84e2fedd88b - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230711/crates/intaglio/RUSTSEC-2023-0048.md new/advisory-db-20230731/crates/intaglio/RUSTSEC-2023-0048.md --- old/advisory-db-20230711/crates/intaglio/RUSTSEC-2023-0048.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20230731/crates/intaglio/RUSTSEC-2023-0048.md 2023-07-29 19:20:00.000000000 +0200 @@ -0,0 +1,28 @@ +```toml +[advisory] +id = "RUSTSEC-2023-0048" +package = "intaglio" +date = "2023-07-26" +url = "https://github.com/artichoke/intaglio/pull/236" +references = [ + "https://github.com/artichoke/intaglio/issues/235", + "https://github.com/artichoke/intaglio/pull/236", + "https://github.com/artichoke/intaglio/releases/tag/v1.9.0", +] +informational = "unsound" +aliases = ["GHSA-gch5-hwqf-mxhp"] + +[affected] +functions = { "intaglio::SymbolTable::intern" = ["< 1.9.0"], "intaglio::bytes::SymbolTable::intern" = ["< 1.9.0"], "intaglio::cstr::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"], "intaglio::osstr::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"], "intaglio::path::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"] } + +[versions] +patched = [">= 1.9.0"] +``` + +# Unsoundness in `intern` methods on `intaglio` symbol interners + +Affected versions of this crate have a stacked borrows violation when creating +references to interned contents. All interner types are affected. + +The flaw was corrected in version 1.9.0 by reordering move and borrowing +operations and storing interned contents by raw pointer instead of as a `Box`. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230711/crates/lmdb-rs/RUSTSEC-2023-0047.md new/advisory-db-20230731/crates/lmdb-rs/RUSTSEC-2023-0047.md --- old/advisory-db-20230711/crates/lmdb-rs/RUSTSEC-2023-0047.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20230731/crates/lmdb-rs/RUSTSEC-2023-0047.md 2023-07-29 19:20:00.000000000 +0200 @@ -0,0 +1,16 @@ +```toml +[advisory] +id = "RUSTSEC-2023-0047" +package = "lmdb-rs" +date = "2023-06-26" +informational = "unsound" +url = "https://github.com/vhbit/lmdb-rs/issues/67" +keywords = ["unsound"] +aliases = ["GHSA-f9g6-fp84-fv92"] + +[versions] +patched = [] +``` + +# impl `FromMdbValue` for bool is unsound +The implementation of `FromMdbValue` have several unsoundness issues. First of all, it allows to reinterpret arbitrary bytes as a bool and could make undefined behavior happen with safe function. Secondly, it allows transmuting pointer without taking memory layout into consideration. The details of reproducing the bug were included in url above. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230711/crates/stb_image/RUSTSEC-2023-0021.md new/advisory-db-20230731/crates/stb_image/RUSTSEC-2023-0021.md --- old/advisory-db-20230711/crates/stb_image/RUSTSEC-2023-0021.md 2023-07-08 16:04:33.000000000 +0200 +++ new/advisory-db-20230731/crates/stb_image/RUSTSEC-2023-0021.md 2023-07-29 19:20:00.000000000 +0200 @@ -12,7 +12,7 @@ patched = [">= 0.2.5"] ``` -# NULL pointer derefernce in `stb_image` +# NULL pointer dereference in `stb_image` A bug in error handling in the `stb_image` C library could cause a NULL pointer dereference when attempting to load an invalid or unsupported image file. This is fixed in version 0.2.5 and later of the `stb_image` Rust crate, by patching the C code to correctly handle NULL pointers. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230711/rust/std/CVE-2021-28877.md new/advisory-db-20230731/rust/std/CVE-2021-28877.md --- old/advisory-db-20230711/rust/std/CVE-2021-28877.md 2023-07-08 16:04:33.000000000 +0200 +++ new/advisory-db-20230731/rust/std/CVE-2021-28877.md 2023-07-29 19:20:00.000000000 +0200 @@ -11,6 +11,6 @@ unaffected = ["< 1.11.0"] ``` -# TrustedRandomAaccess specialization composes incorrectly for nested iter::Zips +# TrustedRandomAccess specialization composes incorrectly for nested iter::Zips -In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. +In the standard library in Rust before 1.51.0, the Zip implementation calls `__iterator_get_unchecked()` for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the `TrustedRandomAccess` trait. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20230711/rust/std/CVE-2021-29922.md new/advisory-db-20230731/rust/std/CVE-2021-29922.md --- old/advisory-db-20230711/rust/std/CVE-2021-29922.md 2023-07-08 16:04:33.000000000 +0200 +++ new/advisory-db-20230731/rust/std/CVE-2021-29922.md 2023-07-29 19:20:00.000000000 +0200 @@ -20,7 +20,7 @@ Improper input validation of octal strings in rust-lang standard library `net` allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on rust-lang std::net. -IP address octects are left stripped instead of evaluated as valid IP addresses. +IP address octets are left stripped instead of evaluated as valid IP addresses. For example, an attacker submitting an IP address to a web application that relies on `std::net::IpAddr`, could cause SSRF via inputting octal input data; An attacker can submit exploitable IP addresses if the octet is 3 digits,