From 40afced5fb3168f7cbd652de6cfbe1b5abe44552 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Fri, 4 Jun 2021 23:26:23 +0200 Subject: [PATCH] Remove range overlaps, fix some range specifications (#930) * Drop some clearly redundant bounds * Fix RUSTSEC-2020-0091 - the version specification was incorrect, marking 1.0.0 as fixed while in reality it was not * Fix RUSTSEC-2018-0004: presumably any updates to 0.3.x series would also get the fix, it would not be isolated to 0.3.2 * Fix incorrectly defined, overlapping ranges in RUSTSEC-2020-0080 and RUSTSEC-2019-0035 --- crates/arc-swap/RUSTSEC-2020-0091.md | 2 +- crates/claxon/RUSTSEC-2018-0004.md | 2 +- crates/cranelift-codegen/RUSTSEC-2021-0067.md | 2 +- crates/miow/RUSTSEC-2020-0080.md | 2 +- crates/rand_core/RUSTSEC-2019-0035.md | 2 +- crates/trust-dns-proto/RUSTSEC-2018-0007.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crates/arc-swap/RUSTSEC-2020-0091.md b/crates/arc-swap/RUSTSEC-2020-0091.md index f65fc35e..dcc9ea75 100644 --- a/crates/arc-swap/RUSTSEC-2020-0091.md +++ b/crates/arc-swap/RUSTSEC-2020-0091.md @@ -9,7 +9,7 @@ keywords = ["dangling reference"] aliases = ["CVE-2020-35711"] [versions] -patched = [">= 1.1.0", ">= 0.4.8"] +patched = [">= 0.4.8, < 1.0.0-0", ">= 1.1.0"] unaffected = ["< 0.4.2"] [affected] diff --git a/crates/claxon/RUSTSEC-2018-0004.md b/crates/claxon/RUSTSEC-2018-0004.md index 41f70ec5..d599147b 100644 --- a/crates/claxon/RUSTSEC-2018-0004.md +++ b/crates/claxon/RUSTSEC-2018-0004.md @@ -8,7 +8,7 @@ keywords = ["uninitialized-memory"] url = "https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c" [versions] -patched = ["=0.3.2", ">= 0.4.1"] +patched = ["^0.3.2", ">= 0.4.1"] ``` # Malicious input could cause uninitialized memory to be exposed diff --git a/crates/cranelift-codegen/RUSTSEC-2021-0067.md b/crates/cranelift-codegen/RUSTSEC-2021-0067.md index 41be609f..612d33ca 100644 --- a/crates/cranelift-codegen/RUSTSEC-2021-0067.md +++ b/crates/cranelift-codegen/RUSTSEC-2021-0067.md @@ -9,7 +9,7 @@ keywords = ["miscompile", "sandbox", "wasm"] aliases = ["CVE-2021-32629"] [versions] -patched = [">= 0.73.1", ">= 0.74"] +patched = [">= 0.73.1"] [affected] arch = ["x86"] diff --git a/crates/miow/RUSTSEC-2020-0080.md b/crates/miow/RUSTSEC-2020-0080.md index 4e127ce1..0eac5222 100644 --- a/crates/miow/RUSTSEC-2020-0080.md +++ b/crates/miow/RUSTSEC-2020-0080.md @@ -9,7 +9,7 @@ keywords = ["memory", "layout", "cast"] informational = "unsound" [versions] -patched = [">= 0.2.2", ">= 0.3.6"] +patched = ["^ 0.2.2", ">= 0.3.6"] ``` # `miow` invalidly assumes the memory layout of std::net::SocketAddr diff --git a/crates/rand_core/RUSTSEC-2019-0035.md b/crates/rand_core/RUSTSEC-2019-0035.md index d96bf3ce..b84e5124 100644 --- a/crates/rand_core/RUSTSEC-2019-0035.md +++ b/crates/rand_core/RUSTSEC-2019-0035.md @@ -12,7 +12,7 @@ url = "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#05 "rand_core::BlockRng::next_u64" = ["< 0.4.2"] [versions] -patched = [">= 0.3.1", ">= 0.4.2"] +patched = ["^ 0.3.1", ">= 0.4.2"] ``` # Unaligned memory access diff --git a/crates/trust-dns-proto/RUSTSEC-2018-0007.md b/crates/trust-dns-proto/RUSTSEC-2018-0007.md index 339d5fa4..e38d6d93 100644 --- a/crates/trust-dns-proto/RUSTSEC-2018-0007.md +++ b/crates/trust-dns-proto/RUSTSEC-2018-0007.md @@ -7,7 +7,7 @@ date = "2018-10-09" keywords = ["stack-overflow", "crash"] [versions] -patched = ["^0.4.3", ">= 0.5.0-alpha.3"] +patched = [">= 0.4.3"] ``` # Stack overflow when parsing malicious DNS packet