On 3/12/21 7:54 PM, Moritz Muehlenhoff wrote: > Source: rust-rand-core > Severity: grave > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > Please see: > https://rustsec.org/advisories/RUSTSEC-2021-0023.html
Thank you for your report. The commit [0] fixed the issue upstream in the `read_u32_into(…)` and the `read_u64_into(…)` functions inside `src/le.rs`. This change was made between the rand_core 0.6.1 and 0.6.2 release. We have version 0.5.1 of the library in Debian, and the affected code [1] had been refactored before the first 0.6 release. It is not obvious to me whether the issue is present in that version of the code due to it effectively being a reimplementation that removes the code marked unsafe that was initially copied over from the byteorder crate according to a comment. Inside the byteorder crate, the very same code still exists unchanged in the latest release 1.4.3 from 2021-03-10. At first sight it appears to me that version 0.5.1 does not have the issue, but I'd prefer to have that checked by more eyes. Wolfgang. -- [0] https://github.com/rust-random/rand/pull/1096/commits/390a7b1049fa5ba1d627feaef2a1629e0e7826b4 [1] https://sources.debian.org/src/rust-rand-core/0.5.1-1/src/le.rs/