diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 64895439..979605e0 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -16,12 +16,12 @@ jobs: uses: actions/cache@v1 with: path: ~/.cargo/bin - key: rustsec-admin-v0.2.0 + key: rustsec-admin-v0.3.0-pre - name: Install rustsec-admin run: | if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then - cargo install rustsec-admin + cargo install rustsec-admin --vers 0.3.0-pre fi - name: Lint advisories diff --git a/crates/actix-codec/RUSTSEC-2020-0049.toml b/crates/actix-codec/RUSTSEC-2020-0049.md similarity index 86% rename from crates/actix-codec/RUSTSEC-2020-0049.toml rename to crates/actix-codec/RUSTSEC-2020-0049.md index 7c90890e..5ecce1c1 100644 --- a/crates/actix-codec/RUSTSEC-2020-0049.toml +++ b/crates/actix-codec/RUSTSEC-2020-0049.md @@ -1,17 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0049" package = "actix-codec" -date = "2020-01-30" -title = "Use-after-free in Framed due to lack of pinning" -url = "https://github.com/actix/actix-net/issues/91" categories = ["memory-corruption"] +date = "2020-01-30" +url = "https://github.com/actix/actix-net/issues/91" + +[versions] +patched = [">= 0.3.0-beta.1"] +``` + +# Use-after-free in Framed due to lack of pinning -description = """ Affected versions of this crate did not require the buffer wrapped in `Framed` to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free. The flaw was corrected by making the affected functions accept `Pin<&mut Self>` instead of `&mut self`. -""" - -[versions] -patched = [">= 0.3.0-beta.1"] diff --git a/crates/actix-http/RUSTSEC-2020-0048.toml b/crates/actix-http/RUSTSEC-2020-0048.md similarity index 78% rename from crates/actix-http/RUSTSEC-2020-0048.toml rename to crates/actix-http/RUSTSEC-2020-0048.md index e5a42d24..a553f50d 100644 --- a/crates/actix-http/RUSTSEC-2020-0048.toml +++ b/crates/actix-http/RUSTSEC-2020-0048.md @@ -1,19 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2020-0048" package = "actix-http" -date = "2020-01-24" -title = "Use-after-free in BodyStream due to lack of pinning" -url = "https://github.com/actix/actix-web/issues/1321" categories = ["memory-corruption"] +date = "2020-01-24" +url = "https://github.com/actix/actix-web/issues/1321" + +[versions] +patched = [">= 2.0.0-alpha.1"] +``` + +# Use-after-free in BodyStream due to lack of pinning -description = """ Affected versions of this crate did not require the buffer wrapped in `BodyStream` to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free. The flaw was corrected by making the trait `MessageBody` require `Unpin` and making `poll_next()` function accept `Pin<&mut Self>` instead of `&mut self`. -""" - -# Versions which include fixes for this vulnerability (mandatory) -[versions] -patched = [">= 2.0.0-alpha.1"] diff --git a/crates/actix-service/RUSTSEC-2020-0046.toml b/crates/actix-service/RUSTSEC-2020-0046.md similarity index 83% rename from crates/actix-service/RUSTSEC-2020-0046.toml rename to crates/actix-service/RUSTSEC-2020-0046.md index 4bb73f1b..ff0b7740 100644 --- a/crates/actix-service/RUSTSEC-2020-0046.toml +++ b/crates/actix-service/RUSTSEC-2020-0046.md @@ -1,14 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0046" package = "actix-service" -date = "2020-01-08" - -title = "bespoke Cell implementation allows obtaining several mutable references to the same data" -url = "https://github.com/actix/actix-net/pull/158" categories = ["memory-corruption"] +date = "2020-01-08" informational = "unsound" +url = "https://github.com/actix/actix-net/pull/158" + +[versions] +patched = [">= 1.0.6"] +``` + +# bespoke Cell implementation allows obtaining several mutable references to the same data -description = """ The custom implementation of a Cell primitive in the affected versions of this crate does not keep track of mutable references to the underlying data. @@ -16,7 +20,3 @@ This allows obtaining several mutable references to the same object which may result in arbitrary memory corruption, most likely use-after-free. The flaw was corrected by switching from a bespoke `Cell` implementation to `Rc>`. -""" - -[versions] -patched = [">= 1.0.6"] diff --git a/crates/actix-utils/RUSTSEC-2020-0045.toml b/crates/actix-utils/RUSTSEC-2020-0045.md similarity index 83% rename from crates/actix-utils/RUSTSEC-2020-0045.toml rename to crates/actix-utils/RUSTSEC-2020-0045.md index 22e0af8c..dbdb7424 100644 --- a/crates/actix-utils/RUSTSEC-2020-0045.toml +++ b/crates/actix-utils/RUSTSEC-2020-0045.md @@ -1,14 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0045" package = "actix-utils" -date = "2020-01-08" - -title = "bespoke Cell implementation allows obtaining several mutable references to the same data" -url = "https://github.com/actix/actix-net/issues/160" categories = ["memory-corruption"] +date = "2020-01-08" informational = "unsound" +url = "https://github.com/actix/actix-net/issues/160" + +[versions] +patched = [">= 2.0.0"] +``` + +# bespoke Cell implementation allows obtaining several mutable references to the same data -description = """ The custom implementation of a Cell primitive in the affected versions of this crate does not keep track of mutable references to the underlying data. @@ -16,7 +20,3 @@ This allows obtaining several mutable references to the same object which may result in arbitrary memory corruption, most likely use-after-free. The flaw was corrected by switching from a bespoke `Cell` implementation to `Rc>`. -""" - -[versions] -patched = [">= 2.0.0"] diff --git a/crates/actix-web/RUSTSEC-2018-0019.toml b/crates/actix-web/RUSTSEC-2018-0019.md similarity index 91% rename from crates/actix-web/RUSTSEC-2018-0019.toml rename to crates/actix-web/RUSTSEC-2018-0019.md index 2585b67c..b529ab68 100644 --- a/crates/actix-web/RUSTSEC-2018-0019.toml +++ b/crates/actix-web/RUSTSEC-2018-0019.md @@ -1,11 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2018-0019" package = "actix-web" -date = "2018-06-08" -title = "Multiple memory safety issues" -url = "https://github.com/actix/actix-web/issues/289" categories = ["memory-corruption"] -description = """ +date = "2018-06-08" +url = "https://github.com/actix/actix-web/issues/289" + +[versions] +patched = [">= 0.7.15"] +``` + +# Multiple memory safety issues + Affected versions contain multiple memory safety issues, such as: - Unsoundly coercing immutable references to mutable references @@ -15,7 +21,3 @@ Affected versions contain multiple memory safety issues, such as: This may result in a variety of memory corruption scenarios, most likely use-after-free. A signficant refactoring effort has been conducted to resolve these issues. -""" - -[versions] -patched = [">= 0.7.15"] diff --git a/crates/alg_ds/RUSTSEC-2020-0033.toml b/crates/alg_ds/RUSTSEC-2020-0033.md similarity index 84% rename from crates/alg_ds/RUSTSEC-2020-0033.toml rename to crates/alg_ds/RUSTSEC-2020-0033.md index 6c69e0ce..ac258810 100644 --- a/crates/alg_ds/RUSTSEC-2020-0033.toml +++ b/crates/alg_ds/RUSTSEC-2020-0033.md @@ -1,13 +1,15 @@ +```toml [advisory] id = "RUSTSEC-2020-0033" package = "alg_ds" date = "2020-08-25" -title = "Matrix::new() drops uninitialized memory" url = "https://gitlab.com/dvshapkin/alg-ds/-/issues/1" -description = """ -`Matrix::new()` internally calls `Matrix::fill_with()` which uses `*ptr = value` pattern to initialize the buffer. -This pattern assumes that there is an initialized struct at the address and drops it, which results in dropping of uninitialized struct. -""" [versions] patched = [] +``` + +# Matrix::new() drops uninitialized memory + +`Matrix::new()` internally calls `Matrix::fill_with()` which uses `*ptr = value` pattern to initialize the buffer. +This pattern assumes that there is an initialized struct at the address and drops it, which results in dropping of uninitialized struct. diff --git a/crates/alpm-rs/RUSTSEC-2020-0032.toml b/crates/alpm-rs/RUSTSEC-2020-0032.md similarity index 81% rename from crates/alpm-rs/RUSTSEC-2020-0032.toml rename to crates/alpm-rs/RUSTSEC-2020-0032.md index 2adffd64..37bded73 100644 --- a/crates/alpm-rs/RUSTSEC-2020-0032.toml +++ b/crates/alpm-rs/RUSTSEC-2020-0032.md @@ -1,14 +1,16 @@ +```toml [advisory] id = "RUSTSEC-2020-0032" package = "alpm-rs" date = "2020-08-20" informational = "unsound" -title = "StrcCtx deallocates a memory region that it doesn't own" url = "https://github.com/pigeonhands/rust-arch/issues/2" -description = """ -`StrcCtx` deallocate a memory region that it doesn't own when `StrcCtx` is created without using `StrcCtx::new`. -This can introduce memory safety issues such as double-free and use-after-free to client programs. -""" [versions] patched = [] +``` + +# StrcCtx deallocates a memory region that it doesn't own + +`StrcCtx` deallocate a memory region that it doesn't own when `StrcCtx` is created without using `StrcCtx::new`. +This can introduce memory safety issues such as double-free and use-after-free to client programs. diff --git a/crates/ammonia/RUSTSEC-2019-0001.toml b/crates/ammonia/RUSTSEC-2019-0001.md similarity index 87% rename from crates/ammonia/RUSTSEC-2019-0001.toml rename to crates/ammonia/RUSTSEC-2019-0001.md index aa6fb9d3..12e389d3 100644 --- a/crates/ammonia/RUSTSEC-2019-0001.toml +++ b/crates/ammonia/RUSTSEC-2019-0001.md @@ -1,11 +1,23 @@ +```toml [advisory] id = "RUSTSEC-2019-0001" package = "ammonia" +aliases = ["CVE-2019-15542"] date = "2019-04-27" -title = "Uncontrolled recursion leads to abort in HTML serialization" -url = "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210" keywords = ["stack-overflow", "crash"] -description = """ +url = "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210" + +[affected.functions] +"ammonia::Document::to_string" = ["< 2.1.0"] +"ammonia::Document::write_to" = ["< 2.1.0"] +"ammonia::clean" = ["< 2.1.0"] + +[versions] +patched = [">= 2.1.0"] +``` + +# Uncontrolled recursion leads to abort in HTML serialization + Affected versions of this crate did use recursion for serialization of HTML DOM trees. @@ -13,13 +25,3 @@ This allows an attacker to cause abort due to stack overflow by providing a pathologically nested input. The flaw was corrected by serializing the DOM tree iteratively instead. -""" -aliases = ["CVE-2019-15542"] - -[affected.functions] -"ammonia::clean" = ["< 2.1.0"] -"ammonia::Document::to_string" = ["< 2.1.0"] -"ammonia::Document::write_to" = ["< 2.1.0"] - -[versions] -patched = [">= 2.1.0"] diff --git a/crates/arr/RUSTSEC-2020-0034.toml b/crates/arr/RUSTSEC-2020-0034.md similarity index 78% rename from crates/arr/RUSTSEC-2020-0034.toml rename to crates/arr/RUSTSEC-2020-0034.md index 8b93e4f1..88b06d84 100644 --- a/crates/arr/RUSTSEC-2020-0034.toml +++ b/crates/arr/RUSTSEC-2020-0034.md @@ -1,16 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0034" package = "arr" date = "2020-08-25" -title = "Multiple security issues including data race, buffer overflow, and uninitialized memory drop" url = "https://github.com/sjep/array/issues/1" -description = """ + +[versions] +patched = [] +``` + +# Multiple security issues including data race, buffer overflow, and uninitialized memory drop + `arr` crate contains multiple security issues. Specifically, 1. It incorrectly implements Sync/Send bounds, which allows to smuggle non-Sync/Send types across the thread boundary. 2. `Index` and `IndexMut` implementation does not check the array bound. 3. `Array::new_from_template()` drops uninitialized memory. -""" - -[versions] -patched = [] diff --git a/crates/array-queue/RUSTSEC-2020-0047.toml b/crates/array-queue/RUSTSEC-2020-0047.md similarity index 85% rename from crates/array-queue/RUSTSEC-2020-0047.toml rename to crates/array-queue/RUSTSEC-2020-0047.md index 76841990..4b617657 100644 --- a/crates/array-queue/RUSTSEC-2020-0047.toml +++ b/crates/array-queue/RUSTSEC-2020-0047.md @@ -1,17 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0047" package = "array-queue" date = "2020-09-26" -title = "array_queue pop_back() may cause a use-after-free" +keywords = ["memory-corruption", "uninitialized-memory", "use-after-free"] url = "https://github.com/raviqqe/array-queue/issues/2" -description = """ + +[versions] +patched = [] +unaffected = ["< 0.3.0"] +``` + +# array_queue pop_back() may cause a use-after-free + array_queue implements a circular queue that wraps around an array. However, it fails to properly index into the array in the `pop_back` function allowing the reading of previously dropped or uninitialized memory. -""" -keywords = ["memory-corruption", "uninitialized-memory", "use-after-free"] - -[versions] - -patched = [] -unaffected = ["< 0.3.0"] diff --git a/crates/arrayfire/RUSTSEC-2018-0011.toml b/crates/arrayfire/RUSTSEC-2018-0011.md similarity index 90% rename from crates/arrayfire/RUSTSEC-2018-0011.toml rename to crates/arrayfire/RUSTSEC-2018-0011.md index ee13eb60..9b7a05fd 100644 --- a/crates/arrayfire/RUSTSEC-2018-0011.toml +++ b/crates/arrayfire/RUSTSEC-2018-0011.md @@ -1,12 +1,24 @@ +```toml [advisory] id = "RUSTSEC-2018-0011" package = "arrayfire" -date = "2018-12-18" -title = "Enum repr causing potential memory corruption" -url = "https://github.com/arrayfire/arrayfire-rust/pull/177" +aliases = ["CVE-2018-20998"] categories = ["memory-corruption"] +date = "2018-12-18" keywords = ["enum", "repr"] -description = """ +url = "https://github.com/arrayfire/arrayfire-rust/pull/177" + +[affected] +arch = ["x86_64"] +os = ["windows"] + +[versions] +patched = [">= 3.6.0"] +unaffected = ["<= 3.5.0"] +``` + +# Enum repr causing potential memory corruption + The attribute repr() added to enums to be compatible with C-FFI caused memory corruption on MSVC toolchain. @@ -17,13 +29,3 @@ Rust version 1.28. The issue seems to be interlinked with which version of Rust is being used. The issue was fixed in crate 3.6.0. -""" -aliases = ["CVE-2018-20998"] - -[versions] -patched = [">= 3.6.0"] -unaffected = ["<= 3.5.0"] - -[affected] -arch = ["x86_64"] -os = ["windows"] diff --git a/crates/asn1_der/RUSTSEC-2019-0007.toml b/crates/asn1_der/RUSTSEC-2019-0007.md similarity index 83% rename from crates/asn1_der/RUSTSEC-2019-0007.toml rename to crates/asn1_der/RUSTSEC-2019-0007.md index 31be2723..93e804b4 100644 --- a/crates/asn1_der/RUSTSEC-2019-0007.toml +++ b/crates/asn1_der/RUSTSEC-2019-0007.md @@ -1,18 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2019-0007" package = "asn1_der" +aliases = ["CVE-2019-15549"] date = "2019-06-13" -title = "Processing of maliciously crafted length fields causes memory allocation SIGABRTs" -url = "https://github.com/KizzyCode/asn1_der/issues/1" keywords = ["dos"] -description = """ +url = "https://github.com/KizzyCode/asn1_der/issues/1" + +[versions] +patched = [">= 0.6.2"] +``` + +# Processing of maliciously crafted length fields causes memory allocation SIGABRTs + Affected versions of this crate tried to preallocate a vector for an arbitrary amount of bytes announced by the ASN.1-DER length field without further checks. This allows an attacker to trigger a SIGABRT by creating length fields that announce more bytes than the allocator can provide. The flaw was corrected by not preallocating memory. -""" -aliases = ["CVE-2019-15549"] - -[versions] -patched = [">= 0.6.2"] diff --git a/crates/atom/RUSTSEC-2020-0044.toml b/crates/atom/RUSTSEC-2020-0044.md similarity index 82% rename from crates/atom/RUSTSEC-2020-0044.toml rename to crates/atom/RUSTSEC-2020-0044.md index b2bfde2f..02b9916f 100644 --- a/crates/atom/RUSTSEC-2020-0044.toml +++ b/crates/atom/RUSTSEC-2020-0044.md @@ -1,15 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2020-0044" package = "atom" date = "2020-09-21" informational = "unsound" -title = "Unsafe Send implementation in Atom allows data races" url = "https://github.com/slide-rs/atom/issues/13" -description = """ -The `atom` crate contains a security issue revolving around its implementation -of the Send trait. It incorrectly allows any arbitrary type to be sent across -threads potentially leading to use-after-free issues through memory races. -""" [versions] patched = [] +``` + +# Unsafe Send implementation in Atom allows data races + +The `atom` crate contains a security issue revolving around its implementation +of the Send trait. It incorrectly allows any arbitrary type to be sent across +threads potentially leading to use-after-free issues through memory races. diff --git a/crates/base64/RUSTSEC-2017-0004.toml b/crates/base64/RUSTSEC-2017-0004.md similarity index 88% rename from crates/base64/RUSTSEC-2017-0004.toml rename to crates/base64/RUSTSEC-2017-0004.md index af0fa6af..88bcea3b 100644 --- a/crates/base64/RUSTSEC-2017-0004.toml +++ b/crates/base64/RUSTSEC-2017-0004.md @@ -1,12 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2017-0004" package = "base64" -date = "2017-05-03" -url = "https://github.com/alicemaz/rust-base64/commit/24ead980daf11ba563e4fb2516187a56a71ad319" -title = "Integer overflow leads to heap-based buffer overflow in encode_config_buf" -keywords = ["memory-corruption"] aliases = ["CVE-2017-1000430"] -description = """ +date = "2017-05-03" +keywords = ["memory-corruption"] +url = "https://github.com/alicemaz/rust-base64/commit/24ead980daf11ba563e4fb2516187a56a71ad319" + +[versions] +patched = [">= 0.5.2"] +``` + +# Integer overflow leads to heap-based buffer overflow in encode_config_buf + Affected versions of this crate suffered from an integer overflow bug when calculating the size of a buffer to use when encoding base64 using the `encode_config_buf` and `encode_config` functions. If the input string @@ -17,7 +23,3 @@ and possibly the execution of arbitrary code. This flaw was corrected by using checked arithmetic to calculate the size of the buffer. -""" - -[versions] -patched = [">= 0.5.2"] diff --git a/crates/bigint/RUSTSEC-2020-0025.toml b/crates/bigint/RUSTSEC-2020-0025.md similarity index 84% rename from crates/bigint/RUSTSEC-2020-0025.toml rename to crates/bigint/RUSTSEC-2020-0025.md index 55f3814c..15412124 100644 --- a/crates/bigint/RUSTSEC-2020-0025.toml +++ b/crates/bigint/RUSTSEC-2020-0025.md @@ -1,14 +1,16 @@ +```toml [advisory] id = "RUSTSEC-2020-0025" package = "bigint" -title = "bigint is unmaintained, use uint instead" -informational = "unmaintained" date = "2020-05-07" +informational = "unmaintained" url = "https://github.com/paritytech/bigint/commit/7e71521a61b009afc94c91135353102658550d42" -description = """ -The `bigint` crate is not maintained any more and contains several known bugs (including a soundness bug); -use [`uint`](https://crates.io/crates/uint) instead. -""" [versions] patched = [] +``` + +# bigint is unmaintained, use uint instead + +The `bigint` crate is not maintained any more and contains several known bugs (including a soundness bug); +use [`uint`](https://crates.io/crates/uint) instead. diff --git a/crates/bitvec/RUSTSEC-2020-0007.toml b/crates/bitvec/RUSTSEC-2020-0007.md similarity index 86% rename from crates/bitvec/RUSTSEC-2020-0007.toml rename to crates/bitvec/RUSTSEC-2020-0007.md index caf27cb6..a1e078d0 100644 --- a/crates/bitvec/RUSTSEC-2020-0007.toml +++ b/crates/bitvec/RUSTSEC-2020-0007.md @@ -1,15 +1,10 @@ +```toml [advisory] id = "RUSTSEC-2020-0007" package = "bitvec" -date = "2020-03-27" -title = "use-after or double free of allocated memory" -url = "https://github.com/myrrlyn/bitvec/issues/55" categories = ["memory-corruption"] -description = """ -Conversion of `BitVec` to `BitBox` did not account for allocation movement. - -The flaw was corrected by using the address after resizing, rather than the original base address. -""" +date = "2020-03-27" +url = "https://github.com/myrrlyn/bitvec/issues/55" [affected.functions] "bitvec::vec::BitVec::into_boxed_bitslice" = ["< 0.17.4, >= 0.11.0"] @@ -17,3 +12,10 @@ The flaw was corrected by using the address after resizing, rather than the orig [versions] patched = [">= 0.17.4"] unaffected = ["< 0.11.0"] +``` + +# use-after or double free of allocated memory + +Conversion of `BitVec` to `BitBox` did not account for allocation movement. + +The flaw was corrected by using the address after resizing, rather than the original base address. diff --git a/crates/blake2/RUSTSEC-2019-0019.toml b/crates/blake2/RUSTSEC-2019-0019.md similarity index 90% rename from crates/blake2/RUSTSEC-2019-0019.toml rename to crates/blake2/RUSTSEC-2019-0019.md index 70d7db5e..c61f507c 100644 --- a/crates/blake2/RUSTSEC-2019-0019.toml +++ b/crates/blake2/RUSTSEC-2019-0019.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2019-0019" package = "blake2" -date = "2019-08-25" -title = "HMAC-BLAKE2 algorithms compute incorrect results" -url = "https://github.com/RustCrypto/MACs/issues/19" +aliases = ["CVE-2019-16143"] categories = ["crypto-failure"] -description = """ +date = "2019-08-25" +url = "https://github.com/RustCrypto/MACs/issues/19" + +[versions] +patched = [">= 0.8.1"] +``` + +# HMAC-BLAKE2 algorithms compute incorrect results + When used in conjunction with the Hash-based Message Authentication Code (HMAC), the BLAKE2b and BLAKE2s implementations in `blake2` crate versions prior to v0.8.1 used an incorrect block size (32-bytes instead of 64-bytes for BLAKE2s, @@ -16,8 +23,3 @@ The v0.8.1 release of the `blake2` crate uses the correct block sizes. Note that this advisory only impacts usage of BLAKE2 with HMAC, and does not impact `Digest` functionality. -""" -aliases = ["CVE-2019-16143"] - -[versions] -patched = [">= 0.8.1"] diff --git a/crates/block-cipher-trait/RUSTSEC-2020-0018.toml b/crates/block-cipher-trait/RUSTSEC-2020-0018.md similarity index 84% rename from crates/block-cipher-trait/RUSTSEC-2020-0018.toml rename to crates/block-cipher-trait/RUSTSEC-2020-0018.md index f7e2c01b..827dc956 100644 --- a/crates/block-cipher-trait/RUSTSEC-2020-0018.toml +++ b/crates/block-cipher-trait/RUSTSEC-2020-0018.md @@ -1,18 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2020-0018" package = "block-cipher-trait" -title = "crate has been renamed to `block-cipher`" -informational = "unmaintained" date = "2020-05-26" +informational = "unmaintained" url = "https://github.com/RustCrypto/traits/pull/139" -description = """ + +[versions] +patched = [] +unaffected = [] +``` + +# crate has been renamed to `block-cipher` + This crate has been renamed from `block-cipher-trait` to `block-cipher`. The new repository location is at: -""" - -[versions] -patched = [] -unaffected = [] diff --git a/crates/bumpalo/RUSTSEC-2020-0006.toml b/crates/bumpalo/RUSTSEC-2020-0006.md similarity index 95% rename from crates/bumpalo/RUSTSEC-2020-0006.toml rename to crates/bumpalo/RUSTSEC-2020-0006.md index d933c55c..a58fb443 100644 --- a/crates/bumpalo/RUSTSEC-2020-0006.toml +++ b/crates/bumpalo/RUSTSEC-2020-0006.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0006" package = "bumpalo" -date = "2020-03-24" -title = "Flaw in `realloc` allows reading unknown memory" -url = "https://github.com/fitzgen/bumpalo/issues/69" categories = ["memory-exposure"] -description = """ +date = "2020-03-24" +url = "https://github.com/fitzgen/bumpalo/issues/69" + +[versions] +patched = [">= 3.2.1"] +unaffected = ["< 3.0.0"] +``` + +# Flaw in `realloc` allows reading unknown memory + When `realloc`ing, if we allocate new space, we need to copy the old allocation's bytes into the new space. There are `old_size` number of bytes in the old allocation, but we were accidentally copying `new_size` number of bytes, @@ -35,8 +42,3 @@ additional steps: can only be indirectly called. This new quickcheck test exercises `realloc` via `bumpalo::collections::Vec::resize` and `bumpalo::collections::Vec::shrink_to_fit` calls. -""" - -[versions] -patched = [">= 3.2.1"] -unaffected = ["< 3.0.0"] diff --git a/crates/cassandra/RUSTSEC-2016-0006.toml b/crates/cassandra/RUSTSEC-2016-0006.md similarity index 73% rename from crates/cassandra/RUSTSEC-2016-0006.toml rename to crates/cassandra/RUSTSEC-2016-0006.md index 6d4171b8..256ccb32 100644 --- a/crates/cassandra/RUSTSEC-2016-0006.toml +++ b/crates/cassandra/RUSTSEC-2016-0006.md @@ -1,19 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2016-0006" package = "cassandra" -title = "`cassandra` crate is unmaintained; use `cassandra-cpp` instead" -informational = "unmaintained" date = "2016-12-15" +informational = "unmaintained" url = "https://github.com/tupshin/cassandra-rs/issues/52" -description = """ + +[versions] +patched = [] +unaffected = ["> 0.8.1"] +``` + +# `cassandra` crate is unmaintained; use `cassandra-cpp` instead + The `cassandra` crate has not seen a release since December 2016, and its author is unresponsive. The `cassandra-cpp` crate is a maintained fork: https://github.com/Metaswitch/cassandra-rs -""" - -[versions] -patched = [] -unaffected = ["> 0.8.1"] # last release diff --git a/crates/cbox/RUSTSEC-2020-0005.toml b/crates/cbox/RUSTSEC-2020-0005.md similarity index 79% rename from crates/cbox/RUSTSEC-2020-0005.toml rename to crates/cbox/RUSTSEC-2020-0005.md index 80521701..1bf5932e 100644 --- a/crates/cbox/RUSTSEC-2020-0005.toml +++ b/crates/cbox/RUSTSEC-2020-0005.md @@ -1,15 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2020-0005" package = "cbox" -date = "2020-03-19" -title = "CBox API allows to de-reference raw pointers without `unsafe` code" -url = "https://github.com/TomBebbington/cbox-rs/issues/2" categories = ["memory-corruption"] -description = """ -`CBox` and `CSemiBox` are part of the public API of the cbox crate -and they allow to create smart pointers from raw pointers and de-reference -them without the need of `unsafe` code. -""" +date = "2020-03-19" +url = "https://github.com/TomBebbington/cbox-rs/issues/2" [versions] patched = [] +``` + +# CBox API allows to de-reference raw pointers without `unsafe` code + +`CBox` and `CSemiBox` are part of the public API of the cbox crate +and they allow to create smart pointers from raw pointers and de-reference +them without the need of `unsafe` code. diff --git a/crates/chacha20/RUSTSEC-2019-0029.toml b/crates/chacha20/RUSTSEC-2019-0029.md similarity index 90% rename from crates/chacha20/RUSTSEC-2019-0029.toml rename to crates/chacha20/RUSTSEC-2019-0029.md index 4d4c19c9..4de7605c 100644 --- a/crates/chacha20/RUSTSEC-2019-0029.toml +++ b/crates/chacha20/RUSTSEC-2019-0029.md @@ -1,11 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2019-0029" package = "chacha20" -date = "2019-10-22" -title = "ChaCha20 counter overflow can expose repetitions in the keystream" -url = "https://github.com/RustCrypto/stream-ciphers/pull/64" categories = ["crypto-failure"] -description = """ +date = "2019-10-22" +url = "https://github.com/RustCrypto/stream-ciphers/pull/64" + +[versions] +patched = [">= 0.2.3"] +``` + +# ChaCha20 counter overflow can expose repetitions in the keystream + The ChaCha20 stream cipher can produce a maximum of 2^32 blocks (~256GB) before the 32-bit counter overflows. Releases of the `chacha20` crate prior to v0.2.3 allow generating keystreams larger than this, including seeking @@ -19,7 +25,3 @@ and future releases will pursue returning an error in this case. Users of the `chacha20poly1305` crate are unaffected by this as this crate properly asserts the length of the plaintext is less than the maximum allowed (`P_MAX` as described in RFC 8439 Section 2.8). -""" - -[versions] -patched = [">= 0.2.3"] diff --git a/crates/chan/RUSTSEC-2018-0014.toml b/crates/chan/RUSTSEC-2018-0014.md similarity index 82% rename from crates/chan/RUSTSEC-2018-0014.toml rename to crates/chan/RUSTSEC-2018-0014.md index b78990a5..e56c2284 100644 --- a/crates/chan/RUSTSEC-2018-0014.toml +++ b/crates/chan/RUSTSEC-2018-0014.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2018-0014" package = "chan" -title = "chan is end-of-life; use crossbeam-channel instead" -informational = "unmaintained" date = "2018-07-31" +informational = "unmaintained" url = "https://github.com/BurntSushi/chan/commit/0a5c0d4ad4adc90a54ee04a427389acf2e157275" -description = """ + +[versions] +patched = [] +unaffected = ["> 0.1.23"] +``` + +# chan is end-of-life; use crossbeam-channel instead + **`chan` has reached its end-of-life and is now deprecated.** The intended successor of this crate is @@ -13,8 +20,3 @@ The intended successor of this crate is Its API is strikingly similar, but comes with a much better `select!` macro, better performance, a better test suite and an all-around better implementation. -""" - -[versions] -unaffected = ["> 0.1.23"] # last release -patched = [] diff --git a/crates/chttp/RUSTSEC-2019-0016.toml b/crates/chttp/RUSTSEC-2019-0016.md similarity index 85% rename from crates/chttp/RUSTSEC-2019-0016.toml rename to crates/chttp/RUSTSEC-2019-0016.md index c3dc1f52..9c5259f3 100644 --- a/crates/chttp/RUSTSEC-2019-0016.toml +++ b/crates/chttp/RUSTSEC-2019-0016.md @@ -1,19 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2019-0016" package = "chttp" +aliases = ["CVE-2019-16140"] date = "2019-09-01" -title = "Use-after-free in buffer conversion implementation" -description = """ +keywords = ["memory-management", "memory-corruption"] +url = "https://github.com/sagebind/isahc/issues/2" + +[versions] +patched = [">= 0.1.3"] +unaffected = ["< 0.1.1"] +``` + +# Use-after-free in buffer conversion implementation + The From implementation for Vec was not properly implemented, returning a vector backed by freed memory. This could lead to memory corruption or be exploited to cause undefined behavior. A fix was published in version 0.1.3. -""" -url = "https://github.com/sagebind/isahc/issues/2" -keywords = ["memory-management", "memory-corruption"] -aliases = ["CVE-2019-16140"] - -[versions] -patched = [">= 0.1.3"] -unaffected = ["< 0.1.1"] diff --git a/crates/chunky/RUSTSEC-2020-0035.toml b/crates/chunky/RUSTSEC-2020-0035.md similarity index 80% rename from crates/chunky/RUSTSEC-2020-0035.toml rename to crates/chunky/RUSTSEC-2020-0035.md index 6b132451..ce631703 100644 --- a/crates/chunky/RUSTSEC-2020-0035.toml +++ b/crates/chunky/RUSTSEC-2020-0035.md @@ -1,13 +1,15 @@ +```toml [advisory] id = "RUSTSEC-2020-0035" package = "chunky" date = "2020-08-25" informational = "unsound" -title = "Chunk API does not respect align requirement" url = "https://github.com/aeplay/chunky/issues/2" -description = """ -Chunk API does not respect the align requirement of types. Unaligned reference can be created with the API, which is an undefined behavior. -""" [versions] patched = [] +``` + +# Chunk API does not respect align requirement + +Chunk API does not respect the align requirement of types. Unaligned reference can be created with the API, which is an undefined behavior. diff --git a/crates/claxon/RUSTSEC-2018-0004.toml b/crates/claxon/RUSTSEC-2018-0004.md similarity index 91% rename from crates/claxon/RUSTSEC-2018-0004.toml rename to crates/claxon/RUSTSEC-2018-0004.md index db1b2370..41f70ec5 100644 --- a/crates/claxon/RUSTSEC-2018-0004.toml +++ b/crates/claxon/RUSTSEC-2018-0004.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2018-0004" package = "claxon" +aliases = ["CVE-2018-20992"] date = "2018-08-25" -title = "Malicious input could cause uninitialized memory to be exposed" -url = "https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c" keywords = ["uninitialized-memory"] -description = """ +url = "https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c" + +[versions] +patched = ["=0.3.2", ">= 0.4.1"] +``` + +# Malicious input could cause uninitialized memory to be exposed + Affected versions of Claxon made an invalid assumption about the decode buffer size being a multiple of a value read from the bitstream. This could cause parts of the decode buffer to not be overwritten. If the decode buffer was newly @@ -18,8 +25,3 @@ The flaw was corrected by checking that the value read from the bistream divides the decode buffer size, and returning a format error if it does not. If an error is returned, the decode buffer is not exposed. Regression tests and an additional fuzzer have been added to prevent similar flaws in the future. -""" -aliases = ["CVE-2018-20992"] - -[versions] -patched = ["=0.3.2", ">= 0.4.1"] diff --git a/crates/compact_arena/RUSTSEC-2019-0015.toml b/crates/compact_arena/RUSTSEC-2019-0015.md similarity index 90% rename from crates/compact_arena/RUSTSEC-2019-0015.toml rename to crates/compact_arena/RUSTSEC-2019-0015.md index e93329fa..84abb396 100644 --- a/crates/compact_arena/RUSTSEC-2019-0015.toml +++ b/crates/compact_arena/RUSTSEC-2019-0015.md @@ -1,12 +1,22 @@ +```toml [advisory] id = "RUSTSEC-2019-0015" package = "compact_arena" -date = "2019-05-21" -title = "Flaw in generativity allows out-of-bounds access" -url = "https://github.com/llogiq/compact_arena/issues/22" +aliases = ["CVE-2019-16139"] categories = ["memory-corruption"] +date = "2019-05-21" keywords = ["uninitialized-memory"] -description = """ +url = "https://github.com/llogiq/compact_arena/issues/22" + +[affected.functions] +"compact_arena::SmallArena::new" = ["< 0.4.0"] + +[versions] +patched = [">= 0.4.0"] +``` + +# Flaw in generativity allows out-of-bounds access + Affected versions of this crate did not properly implement the generativity, because the invariant lifetimes were not necessarily `drop`ped. @@ -15,11 +25,3 @@ arena with another one. This might lead to an out-of-bounds read or write access into the memory reserved for the arena. The flaw was corrected by implementing generativity correctly in version 0.4.0. -""" -aliases = ["CVE-2019-16139"] - -[affected.functions] -"compact_arena::SmallArena::new" = ["< 0.4.0"] - -[versions] -patched = [">= 0.4.0"] diff --git a/crates/cookie/RUSTSEC-2017-0005.toml b/crates/cookie/RUSTSEC-2017-0005.md similarity index 88% rename from crates/cookie/RUSTSEC-2017-0005.toml rename to crates/cookie/RUSTSEC-2017-0005.md index 53860589..dddb809d 100644 --- a/crates/cookie/RUSTSEC-2017-0005.toml +++ b/crates/cookie/RUSTSEC-2017-0005.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2017-0005" package = "cookie" +aliases = ["CVE-2017-18589"] +date = "2017-05-06" keywords = ["crash"] url = "https://github.com/alexcrichton/cookie-rs/pull/86" -title = "Large cookie Max-Age values can cause a denial of service" -date = "2017-05-06" -description = """ + +[versions] +patched = ["< 0.6.0", "^0.6.2", ">= 0.7.6"] +``` + +# Large cookie Max-Age values can cause a denial of service + Affected versions of this crate use the `time` crate and the method `Duration::seconds` to parse the `Max-Age` duration cookie setting. This method will panic if the value is greater than 2^64/1000 and less than or equal to @@ -13,8 +20,3 @@ will panic if the value is greater than 2^64/1000 and less than or equal to This flaw was corrected by explicitly checking for the `Max-Age` being in this integer range and clamping the value to the maximum duration value. -""" -aliases = ["CVE-2017-18589"] - -[versions] -patched = ["< 0.6.0", "^0.6.2", ">= 0.7.6"] diff --git a/crates/crayon/RUSTSEC-2020-0037.md b/crates/crayon/RUSTSEC-2020-0037.md new file mode 100644 index 00000000..51544a10 --- /dev/null +++ b/crates/crayon/RUSTSEC-2020-0037.md @@ -0,0 +1,19 @@ +```toml +[advisory] +id = "RUSTSEC-2020-0037" +package = "crayon" +date = "2020-08-31" +informational = "unsound" +url = "https://github.com/shawnscode/crayon/issues/87" + +[versions] +patched = [] +``` + +# Misbehaving `HandleLike` implementation can lead to memory safety violation + +Unsafe code in `ObjectPool` has time-of-check to time-of-use (TOCTOU) bug that +can eventually lead to a memory safety violation. `ObjectPool` and `HandlePool` +implicitly assumes that `HandleLike` trait methods are pure, i.e., they always +return the same value. However, this assumption is unsound since `HandleLike` +is a safe, public trait that allows a custom implementation. diff --git a/crates/crayon/RUSTSEC-2020-0037.toml b/crates/crayon/RUSTSEC-2020-0037.toml deleted file mode 100644 index 82b17b90..00000000 --- a/crates/crayon/RUSTSEC-2020-0037.toml +++ /dev/null @@ -1,13 +0,0 @@ -[advisory] -id = "RUSTSEC-2020-0037" -package = "crayon" -date = "2020-08-31" -informational = "unsound" -title = "Misbehaving `HandleLike` implementation can lead to memory safety violation" -url = "https://github.com/shawnscode/crayon/issues/87" -description = """ -Unsafe code in `ObjectPool` has time-of-check to time-of-use (TOCTOU) bug that can eventually lead to a memory safety violation. `ObjectPool` and `HandlePool` implicitly assumes that `HandleLike` trait methods are pure, i.e., they always return the same value. However, this assumption is unsound since `HandleLike` is a safe, public trait that allows a custom implementation. -""" - -[versions] -patched = [] diff --git a/crates/crossbeam/RUSTSEC-2018-0009.toml b/crates/crossbeam/RUSTSEC-2018-0009.md similarity index 88% rename from crates/crossbeam/RUSTSEC-2018-0009.toml rename to crates/crossbeam/RUSTSEC-2018-0009.md index 03415a79..16c03f0a 100644 --- a/crates/crossbeam/RUSTSEC-2018-0009.toml +++ b/crates/crossbeam/RUSTSEC-2018-0009.md @@ -1,11 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2018-0009" package = "crossbeam" +aliases = ["CVE-2018-20996"] date = "2018-12-09" -title = "MsQueue and SegQueue suffer from double-free" -url = "https://github.com/crossbeam-rs/crossbeam-epoch/issues/82" keywords = ["concurrency", "memory-management", "memory-corruption"] -description = """ +url = "https://github.com/crossbeam-rs/crossbeam-epoch/issues/82" + +[versions] +patched = [">= 0.4.1"] +unaffected = ["< 0.4.0"] +``` + +# MsQueue and SegQueue suffer from double-free + Even if an element is popped from a queue, crossbeam would run its destructor inside the epoch-based garbage collector. This is a source of double frees. @@ -14,9 +22,3 @@ The flaw was corrected by wrapping elements inside queues in a `ManuallyDrop`. Thanks to @c0gent for reporting the issue. -""" -aliases = ["CVE-2018-20996"] - -[versions] -patched = [">= 0.4.1"] -unaffected = ["< 0.4.0"] diff --git a/crates/crust/RUSTSEC-2019-0032.toml b/crates/crust/RUSTSEC-2019-0032.md similarity index 79% rename from crates/crust/RUSTSEC-2019-0032.toml rename to crates/crust/RUSTSEC-2019-0032.md index 29039b12..37e05ad5 100644 --- a/crates/crust/RUSTSEC-2019-0032.toml +++ b/crates/crust/RUSTSEC-2019-0032.md @@ -1,18 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2019-0032" package = "crust" -title = "crust repo has been archived; use libp2p instead" -informational = "unmaintained" date = "2019-11-21" +informational = "unmaintained" url = "https://github.com/maidsafe/crust" -description = """ + +[versions] +patched = [] +unaffected = ["> 0.32.1"] +``` + +# crust repo has been archived; use libp2p instead + ** The `crust` crate repo was archived with no warning or explanation.** Given that it was archived with no warning or successor, there's not an official replacement but [`rust-libp2p`](https://github.com/libp2p/rust-libp2p) looks like it's got a similar feature set and is actively maintained. -""" - -[versions] -unaffected = ["> 0.32.1"] # last release -patched = [] diff --git a/crates/dync/RUSTSEC-2020-0050.toml b/crates/dync/RUSTSEC-2020-0050.md similarity index 80% rename from crates/dync/RUSTSEC-2020-0050.toml rename to crates/dync/RUSTSEC-2020-0050.md index b1fa37cc..8c9e0e15 100644 --- a/crates/dync/RUSTSEC-2020-0050.toml +++ b/crates/dync/RUSTSEC-2020-0050.md @@ -1,14 +1,16 @@ +```toml [advisory] id = "RUSTSEC-2020-0050" package = "dync" date = "2020-09-27" informational = "unsound" -title = "VecCopy allows misaligned access to elements" url = "https://github.com/elrnv/dync/issues/4" -description = """ -`VecCopy::data` is created as a Vec of u8 but can be used to store and retrieve -elements of different types leading to misaligned access. -""" [versions] patched = [] +``` + +# VecCopy allows misaligned access to elements + +`VecCopy::data` is created as a Vec of u8 but can be used to store and retrieve +elements of different types leading to misaligned access. diff --git a/crates/failure/RUSTSEC-2019-0036.toml b/crates/failure/RUSTSEC-2019-0036.md similarity index 72% rename from crates/failure/RUSTSEC-2019-0036.toml rename to crates/failure/RUSTSEC-2019-0036.md index 6ae7d177..ab8fad09 100644 --- a/crates/failure/RUSTSEC-2019-0036.toml +++ b/crates/failure/RUSTSEC-2019-0036.md @@ -1,21 +1,23 @@ +```toml [advisory] id = "RUSTSEC-2019-0036" -aliases = ["CVE-2020-25575"] package = "failure" +aliases = ["CVE-2020-25575"] date = "2019-11-13" informational = "unsound" -title = "Type confusion if __private_get_type_id__ is overriden" -url = "https://github.com/rust-lang-nursery/failure/issues/336" keywords = ["unsound"] -description = """ +url = "https://github.com/rust-lang-nursery/failure/issues/336" + +[affected.functions] +"failure::Fail::__private_get_type_id__" = [">= 0.1.0"] + +[versions] +patched = [] +``` + +# Type confusion if __private_get_type_id__ is overriden + Safe Rust code can implement malfunctioning `__private_get_type_id__` and cause type confusion when downcasting, which is an undefined behavior. Users who derive `Fail` trait are not affected. -""" - -[affected] -functions = { "failure::Fail::__private_get_type_id__" = [">= 0.1.0"] } - -[versions] -patched = [] diff --git a/crates/failure/RUSTSEC-2020-0036.toml b/crates/failure/RUSTSEC-2020-0036.md similarity index 90% rename from crates/failure/RUSTSEC-2020-0036.toml rename to crates/failure/RUSTSEC-2020-0036.md index be0c483e..d6872685 100644 --- a/crates/failure/RUSTSEC-2020-0036.toml +++ b/crates/failure/RUSTSEC-2020-0036.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0036" package = "failure" -title = "failure is officially deprecated/unmaintained" -informational = "unmaintained" date = "2020-05-02" +informational = "unmaintained" url = "https://github.com/rust-lang-nursery/failure/pull/347" -description = """ + +[versions] +patched = [] +unaffected = [] +``` + +# failure is officially deprecated/unmaintained + The `failure` crate is officially end-of-life: it has been marked as deprecated by the former maintainer, who has announced that there will be no updates or maintenance work on it going forward. @@ -17,8 +24,3 @@ The following are some suggested actively developed alternatives to switch to: - [`fehler`](https://crates.io/crates/fehler) - [`snafu`](https://crates.io/crates/snafu) - [`thiserror`](https://crates.io/crates/thiserror) -""" - -[versions] -unaffected = [] -patched = [] diff --git a/crates/fake-static/RUSTSEC-2020-0013.toml b/crates/fake-static/RUSTSEC-2020-0013.md similarity index 78% rename from crates/fake-static/RUSTSEC-2020-0013.toml rename to crates/fake-static/RUSTSEC-2020-0013.md index b23cc8be..7188bd54 100644 --- a/crates/fake-static/RUSTSEC-2020-0013.toml +++ b/crates/fake-static/RUSTSEC-2020-0013.md @@ -1,9 +1,15 @@ +```toml [advisory] id = "RUSTSEC-2020-0013" package = "fake-static" date = "2020-04-24" -title = "fake-static allows converting any reference into a `'static` reference" -description = """ + +[versions] +patched = [] +``` + +# fake-static allows converting any reference into a `'static` reference + fake-static allows converting a refernce with any lifetime into a reference with `'static` lifetime without the `unsafe` keyword. @@ -11,7 +17,3 @@ Internally, this crate does not use unsafe code, it instead exploits a soundness bug in rustc: https://github.com/rust-lang/rust/issues/25860 -""" - -[versions] -patched = [] diff --git a/crates/flatbuffers/RUSTSEC-2019-0028.toml b/crates/flatbuffers/RUSTSEC-2019-0028.md similarity index 89% rename from crates/flatbuffers/RUSTSEC-2019-0028.toml rename to crates/flatbuffers/RUSTSEC-2019-0028.md index 0d971fca..7fff4320 100644 --- a/crates/flatbuffers/RUSTSEC-2019-0028.toml +++ b/crates/flatbuffers/RUSTSEC-2019-0028.md @@ -1,15 +1,9 @@ +```toml [advisory] id = "RUSTSEC-2019-0028" package = "flatbuffers" date = "2019-10-20" url = "https://github.com/google/flatbuffers/issues/5530" -title = "Unsound `impl Follow for bool`" -description = """ -The implementation of `impl Follow for bool` allows to reinterpret arbitrary bytes as a `bool`. - -In Rust `bool` has stringent requirements for its in-memory representation. Use of this function -allows to violate these requirements and invoke undefined behaviour in safe code. -""" [affected.functions] "flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"] @@ -17,3 +11,11 @@ allows to violate these requirements and invoke undefined behaviour in safe code [versions] patched = [">= 0.6.1"] unaffected = ["< 0.4.0"] +``` + +# Unsound `impl Follow for bool` + +The implementation of `impl Follow for bool` allows to reinterpret arbitrary bytes as a `bool`. + +In Rust `bool` has stringent requirements for its in-memory representation. Use of this function +allows to violate these requirements and invoke undefined behaviour in safe code. diff --git a/crates/flatbuffers/RUSTSEC-2020-0009.toml b/crates/flatbuffers/RUSTSEC-2020-0009.md similarity index 87% rename from crates/flatbuffers/RUSTSEC-2020-0009.toml rename to crates/flatbuffers/RUSTSEC-2020-0009.md index 09d07212..fbc50d23 100644 --- a/crates/flatbuffers/RUSTSEC-2020-0009.toml +++ b/crates/flatbuffers/RUSTSEC-2020-0009.md @@ -1,10 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2020-0009" package = "flatbuffers" date = "2020-04-11" -title = "`read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks" url = "https://github.com/google/flatbuffers/issues/5825" -description = """ + +[affected.functions] +"flatbuffers::read_scalar" = [">= 0.4.0"] +"flatbuffers::read_scalar_at" = [">= 0.4.0"] + +[versions] +patched = [] +unaffected = ["< 0.4.0"] +``` + +# `read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks + The `read_scalar` and `read_scalar_at` functions are unsound because they allow transmuting values without `unsafe` blocks. @@ -21,12 +32,3 @@ fn main() { println!("{:?}", flatbuffers::read_scalar::(&[1; std::mem::size_of::()])); } ``` -""" - -[affected.functions] -"flatbuffers::read_scalar" = [">= 0.4.0"] -"flatbuffers::read_scalar_at" = [">= 0.4.0"] - -[versions] -patched = [] -unaffected = ["< 0.4.0"] diff --git a/crates/generator/RUSTSEC-2019-0020.toml b/crates/generator/RUSTSEC-2019-0020.md similarity index 89% rename from crates/generator/RUSTSEC-2019-0020.toml rename to crates/generator/RUSTSEC-2019-0020.md index f1c16a52..0815dadd 100644 --- a/crates/generator/RUSTSEC-2019-0020.toml +++ b/crates/generator/RUSTSEC-2019-0020.md @@ -1,19 +1,21 @@ -[advisory] -id = "RUSTSEC-2019-0020" -package = "generator" -date = "2019-09-06" -title = "fix unsound APIs that could lead to UB" -url = "https://github.com/Xudong-Huang/generator-rs/issues/9" -keywords = ["memory-corruption"] -description = """ -Affected versions of this crate API could use uninitialized memory with some APIs in special -cases, like use the API in none generator context. This could lead to UB. -The flaw was corrected by - - - -This patch fixes all those issues above. -""" - -[versions] -patched = [">= 0.6.18"] +```toml +[advisory] +id = "RUSTSEC-2019-0020" +package = "generator" +date = "2019-09-06" +keywords = ["memory-corruption"] +url = "https://github.com/Xudong-Huang/generator-rs/issues/9" + +[versions] +patched = [">= 0.6.18"] +``` + +# fix unsound APIs that could lead to UB + +Affected versions of this crate API could use uninitialized memory with some APIs in special +cases, like use the API in none generator context. This could lead to UB. +The flaw was corrected by + + + +This patch fixes all those issues above. diff --git a/crates/http/RUSTSEC-2019-0033.toml b/crates/http/RUSTSEC-2019-0033.md similarity index 89% rename from crates/http/RUSTSEC-2019-0033.toml rename to crates/http/RUSTSEC-2019-0033.md index 14f2046d..762a9d1b 100644 --- a/crates/http/RUSTSEC-2019-0033.toml +++ b/crates/http/RUSTSEC-2019-0033.md @@ -1,13 +1,22 @@ +```toml [advisory] id = "RUSTSEC-2019-0033" -aliases = ["CVE-2020-25574"] package = "http" -date = "2019-11-16" -title = "Integer Overflow in HeaderMap::reserve() can cause Denial of Service" -url = "https://github.com/hyperium/http/issues/352" +aliases = ["CVE-2020-25574"] categories = ["denial-of-service"] +date = "2019-11-16" keywords = ["http", "integer-overflow", "DoS"] -description = """ +url = "https://github.com/hyperium/http/issues/352" + +[affected.functions] +"http::header::HeaderMap::reserve" = ["< 0.1.20"] + +[versions] +patched = [">= 0.1.20"] +``` + +# Integer Overflow in HeaderMap::reserve() can cause Denial of Service + `HeaderMap::reserve()` used `usize::next_power_of_two()` to calculate the increased capacity. However, `next_power_of_two()` silently overflows to 0 if given a sufficently large number in release mode. @@ -18,10 +27,3 @@ This allows an attacker who controls the argument to `reserve()` to cause a potential denial of service (DoS). The flaw was corrected in 0.1.20 release of `http` crate. -""" - -[affected.functions] -"http::header::HeaderMap::reserve" = ["< 0.1.20"] - -[versions] -patched = [">= 0.1.20"] diff --git a/crates/http/RUSTSEC-2019-0034.toml b/crates/http/RUSTSEC-2019-0034.md similarity index 91% rename from crates/http/RUSTSEC-2019-0034.toml rename to crates/http/RUSTSEC-2019-0034.md index fffa2da8..8c2d48a8 100644 --- a/crates/http/RUSTSEC-2019-0034.toml +++ b/crates/http/RUSTSEC-2019-0034.md @@ -1,11 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2019-0034" package = "http" -date = "2019-11-16" -title = "HeaderMap::Drain API is unsound" categories = ["memory-corruption"] +date = "2019-11-16" keywords = ["memory-safety", "double-free", "unsound"] -description = """ + +[affected.functions] +"http::header::HeaderMap::drain" = ["< 0.1.20"] + +[versions] +patched = [">= 0.1.20"] +``` + +# HeaderMap::Drain API is unsound + Affected versions of this crate incorrectly used raw pointer, which introduced unsoundness in its public safe API. @@ -13,10 +22,3 @@ which introduced unsoundness in its public safe API. and [it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation](https://github.com/hyperium/http/issues/355). The flaw was corrected in 0.1.20 release of `http` crate. -""" - -[affected.functions] -"http::header::HeaderMap::drain" = ["< 0.1.20"] - -[versions] -patched = [">= 0.1.20"] diff --git a/crates/hyper/RUSTSEC-2016-0002.toml b/crates/hyper/RUSTSEC-2016-0002.md similarity index 88% rename from crates/hyper/RUSTSEC-2016-0002.toml rename to crates/hyper/RUSTSEC-2016-0002.md index 5fe25d6d..d72894ed 100644 --- a/crates/hyper/RUSTSEC-2016-0002.toml +++ b/crates/hyper/RUSTSEC-2016-0002.md @@ -1,13 +1,23 @@ +```toml [advisory] id = "RUSTSEC-2016-0002" package = "hyper" -date = "2016-05-09" -url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09" -title = "HTTPS MitM vulnerability due to lack of hostname verification" +aliases = ["CVE-2016-10932"] categories = ["crypto-failure"] +date = "2016-05-09" keywords = ["ssl", "mitm"] references = ["RUSTSEC-2016-0001"] -description = """ +url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09" + +[affected] +os = ["windows"] + +[versions] +patched = [">= 0.9.4"] +``` + +# HTTPS MitM vulnerability due to lack of hostname verification + When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests. @@ -16,11 +26,3 @@ CA-issued certificate, even if there's a hostname mismatch. The problem was addressed by leveraging rust-openssl's built-in support for hostname verification. -""" -aliases = ["CVE-2016-10932"] - -[affected] -os = ["windows"] - -[versions] -patched = [">= 0.9.4"] diff --git a/crates/hyper/RUSTSEC-2017-0002.toml b/crates/hyper/RUSTSEC-2017-0002.md similarity index 84% rename from crates/hyper/RUSTSEC-2017-0002.toml rename to crates/hyper/RUSTSEC-2017-0002.md index 101575bf..408df994 100644 --- a/crates/hyper/RUSTSEC-2017-0002.toml +++ b/crates/hyper/RUSTSEC-2017-0002.md @@ -1,19 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2017-0002" package = "hyper" +aliases = ["CVE-2017-18587"] date = "2017-01-23" url = "https://github.com/hyperium/hyper/wiki/Security-001" -title = "headers containing newline characters can split messages" -description = """ -Serializing of headers to the socket did not filter the values for newline bytes (`\\r` or `\\n`), + +[versions] +patched = [">= 0.10.2", "< 0.10.0, >= 0.9.18"] +``` + +# headers containing newline characters can split messages + +Serializing of headers to the socket did not filter the values for newline bytes (`\r` or `\n`), which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an application constructs headers based on unsanitized user input. This issue was fixed by replacing all newline characters with a space during serialization of a header value. -""" -aliases = ["CVE-2017-18587"] - -[versions] -patched = [">= 0.10.2", "< 0.10.0, >= 0.9.18"] diff --git a/crates/hyper/RUSTSEC-2020-0008.toml b/crates/hyper/RUSTSEC-2020-0008.md similarity index 90% rename from crates/hyper/RUSTSEC-2020-0008.toml rename to crates/hyper/RUSTSEC-2020-0008.md index 026e8c84..09100c12 100644 --- a/crates/hyper/RUSTSEC-2020-0008.toml +++ b/crates/hyper/RUSTSEC-2020-0008.md @@ -1,13 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2020-0008" package = "hyper" -date = "2020-03-19" -title = "Flaw in hyper allows request smuggling by sending a body in GET requests" -url = "https://github.com/hyperium/hyper/issues/1925" categories = ["format-injection"] +date = "2020-03-19" keywords = ["http", "request-smuggling"] +url = "https://github.com/hyperium/hyper/issues/1925" + +[versions] +patched = [">= 0.12.34"] +unaffected = ["< 0.11.0"] +``` + +# Flaw in hyper allows request smuggling by sending a body in GET requests -description = """ Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 specification, such requests do not have bodies, so the body will be interpreted @@ -21,8 +27,3 @@ vulnerabilities, such as an exploitable web server listening on loopback, it may allow remote code execution. The flaw was corrected in hyper version 0.12.34. -""" - -[versions] -patched = [">= 0.12.34"] -unaffected = ["< 0.11.0"] diff --git a/crates/image/RUSTSEC-2019-0014.toml b/crates/image/RUSTSEC-2019-0014.md similarity index 91% rename from crates/image/RUSTSEC-2019-0014.toml rename to crates/image/RUSTSEC-2019-0014.md index e31ee1d5..71530877 100644 --- a/crates/image/RUSTSEC-2019-0014.toml +++ b/crates/image/RUSTSEC-2019-0014.md @@ -1,11 +1,22 @@ +```toml [advisory] id = "RUSTSEC-2019-0014" package = "image" +aliases = ["CVE-2019-16138"] date = "2019-08-21" -title = "Flaw in interface may drop uninitialized instance of arbitrary types" -url = "https://github.com/image-rs/image/pull/985" keywords = ["drop", "use-after-free"] -description = """ +url = "https://github.com/image-rs/image/pull/985" + +[affected.functions] +"image::hdr::HDRDecoder::read_image_transform" = ["< 0.21.3, >= 0.10.2"] + +[versions] +patched = [">= 0.21.3"] +unaffected = ["< 0.10.2"] +``` + +# Flaw in interface may drop uninitialized instance of arbitrary types + Affected versions of this crate would call `Vec::set_len` on an uninitialized vector with user-provided type parameter, in an interface of the HDR image format decoder. They would then also call other code that could panic before @@ -21,12 +32,3 @@ called in case of panic, though. Starting from version `0.22`, a breaking change to the interface requires callers to pre-allocate the output buffer and pass a mutable slice instead, avoiding all unsafe code. -""" -aliases = ["CVE-2019-16138"] - -[affected.functions] -"image::hdr::HDRDecoder::read_image_transform" = ["< 0.21.3, >= 0.10.2"] - -[versions] -patched = [">= 0.21.3"] -unaffected = ["< 0.10.2"] diff --git a/crates/internment/RUSTSEC-2020-0017.toml b/crates/internment/RUSTSEC-2020-0017.md similarity index 88% rename from crates/internment/RUSTSEC-2020-0017.toml rename to crates/internment/RUSTSEC-2020-0017.md index 564457ae..6f09711a 100644 --- a/crates/internment/RUSTSEC-2020-0017.toml +++ b/crates/internment/RUSTSEC-2020-0017.md @@ -1,17 +1,10 @@ +```toml [advisory] id = "RUSTSEC-2020-0017" package = "internment" -date = "2020-05-28" -title = "Use after free in ArcIntern::drop" -url = "https://github.com/droundy/internment/issues/11" categories = ["memory-corruption"] -description = """ -`ArcIntern::drop` has a race condition where it can release memory -which is about to get another user. The new user will get a reference -to freed memory. - -Versions prior to 0.3.12 used stronger locking which avoided the problem. -""" +date = "2020-05-28" +url = "https://github.com/droundy/internment/issues/11" [affected.functions] "internment::ArcIntern::drop" = [">= 0.3.12"] @@ -19,3 +12,12 @@ Versions prior to 0.3.12 used stronger locking which avoided the problem. [versions] patched = [] unaffected = ["< 0.3.12"] +``` + +# Use after free in ArcIntern::drop + +`ArcIntern::drop` has a race condition where it can release memory +which is about to get another user. The new user will get a reference +to freed memory. + +Versions prior to 0.3.12 used stronger locking which avoided the problem. diff --git a/crates/libflate/RUSTSEC-2019-0010.toml b/crates/libflate/RUSTSEC-2019-0010.md similarity index 89% rename from crates/libflate/RUSTSEC-2019-0010.toml rename to crates/libflate/RUSTSEC-2019-0010.md index d9b3e465..c646325d 100644 --- a/crates/libflate/RUSTSEC-2019-0010.toml +++ b/crates/libflate/RUSTSEC-2019-0010.md @@ -1,18 +1,11 @@ +```toml [advisory] id = "RUSTSEC-2019-0010" package = "libflate" -date = "2019-07-04" -title = "MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code" -url = "https://github.com/sile/libflate/issues/35" -keywords = ["drop", "use-after-free"] -description = """ -Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in `MultiDecoder::read()` and reverted it to the original value after the function completed. However, execution of `MultiDecoder::read()` could be interrupted by a panic in caller-supplied `Read` implementation. This would cause `drop()` to be called on uninitialized memory of a generic type implementing `Read`. - -This is equivalent to a use-after-free vulnerability and could allow an attacker to gain arbitrary code execution. - -The flaw was corrected by aborting immediately instead of unwinding the stack in case of panic within `MultiDecoder::read()`. The issue was discovered and fixed by Shnatsel. -""" aliases = ["CVE-2019-15552"] +date = "2019-07-04" +keywords = ["drop", "use-after-free"] +url = "https://github.com/sile/libflate/issues/35" [affected.functions] "libflate::gzip::MultiDecoder::read" = ["< 0.1.25, >= 0.1.14"] @@ -20,3 +13,12 @@ aliases = ["CVE-2019-15552"] [versions] patched = [">= 0.1.25"] unaffected = ["< 0.1.14"] +``` + +# MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code + +Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in `MultiDecoder::read()` and reverted it to the original value after the function completed. However, execution of `MultiDecoder::read()` could be interrupted by a panic in caller-supplied `Read` implementation. This would cause `drop()` to be called on uninitialized memory of a generic type implementing `Read`. + +This is equivalent to a use-after-free vulnerability and could allow an attacker to gain arbitrary code execution. + +The flaw was corrected by aborting immediately instead of unwinding the stack in case of panic within `MultiDecoder::read()`. The issue was discovered and fixed by Shnatsel. diff --git a/crates/libp2p-core/RUSTSEC-2019-0004.toml b/crates/libp2p-core/RUSTSEC-2019-0004.md similarity index 78% rename from crates/libp2p-core/RUSTSEC-2019-0004.toml rename to crates/libp2p-core/RUSTSEC-2019-0004.md index 08a64f15..12b6eb86 100644 --- a/crates/libp2p-core/RUSTSEC-2019-0004.toml +++ b/crates/libp2p-core/RUSTSEC-2019-0004.md @@ -1,16 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2019-0004" package = "libp2p-core" -date = "2019-05-15" -title = "Failure to properly verify ed25519 signatures makes any signature valid" -description = """ -Affected versions of this crate did not properly verify ed25519 signatures. -Any signature with a correct length was considered valid. - -This allows an attacker to impersonate any node identity. -""" aliases = ["CVE-2019-15545"] +date = "2019-05-15" [versions] patched = ["^0.7.1", ">= 0.8.1"] unaffected = ["< 0.3"] +``` + +# Failure to properly verify ed25519 signatures makes any signature valid + +Affected versions of this crate did not properly verify ed25519 signatures. +Any signature with a correct length was considered valid. + +This allows an attacker to impersonate any node identity. diff --git a/crates/libsecp256k1/RUSTSEC-2019-0027.toml b/crates/libsecp256k1/RUSTSEC-2019-0027.md similarity index 84% rename from crates/libsecp256k1/RUSTSEC-2019-0027.toml rename to crates/libsecp256k1/RUSTSEC-2019-0027.md index 3be36306..f2200111 100644 --- a/crates/libsecp256k1/RUSTSEC-2019-0027.toml +++ b/crates/libsecp256k1/RUSTSEC-2019-0027.md @@ -1,11 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2019-0027" package = "libsecp256k1" -date = "2019-10-14" -title = "Flaw in Scalar::check_overflow allows side-channel timing attack" categories = ["crypto-failure"] +date = "2019-10-14" keywords = ["crypto", "sidechannel"] -description = """ + +[affected.functions] +"libsecp256k1::Scalar::check_overflow" = ["< 0.3.1"] + +[versions] +patched = [">= 0.3.1"] +``` + +# Flaw in Scalar::check_overflow allows side-channel timing attack + Versions of `libsecp256k1` prior to `0.3.1` did not execute Scalar::check_overflow in constant time. @@ -13,10 +22,3 @@ This allows an attacker to potentially leak information via a timing attack. The flaw was corrected by modifying Scalar::check_overflow to execute in constant time. -""" - -[affected.functions] -"libsecp256k1::Scalar::check_overflow" = ["< 0.3.1"] - -[versions] -patched = [">= 0.3.1"] diff --git a/crates/libusb/RUSTSEC-2016-0004.toml b/crates/libusb/RUSTSEC-2016-0004.md similarity index 75% rename from crates/libusb/RUSTSEC-2016-0004.toml rename to crates/libusb/RUSTSEC-2016-0004.md index 6c348531..154632e4 100644 --- a/crates/libusb/RUSTSEC-2016-0004.toml +++ b/crates/libusb/RUSTSEC-2016-0004.md @@ -1,19 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2016-0004" package = "libusb" -title = "libusb is unmaintained; use rusb instead" -informational = "unmaintained" date = "2016-09-10" +informational = "unmaintained" url = "https://github.com/dcuddeback/libusb-rs/issues/33" -description = """ + +[versions] +patched = [] +unaffected = ["> 0.3.0"] +``` + +# libusb is unmaintained; use rusb instead + The `libusb` crate has not seen a release since September 2016, and its author is unresponsive. The `rusb` crate is a maintained fork: https://github.com/a1ien/rusb -""" - -[versions] -patched = [] -unaffected = ["> 0.3.0"] # last release diff --git a/crates/linea/RUSTSEC-2019-0021.toml b/crates/linea/RUSTSEC-2019-0021.md similarity index 87% rename from crates/linea/RUSTSEC-2019-0021.toml rename to crates/linea/RUSTSEC-2019-0021.md index 62ab2c78..f530bac8 100644 --- a/crates/linea/RUSTSEC-2019-0021.toml +++ b/crates/linea/RUSTSEC-2019-0021.md @@ -1,19 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2019-0021" package = "linea" -date = "2019-09-14" -title = "`Matrix::zip_elements` causes double free" -url = "https://github.com/strake/linea.rs/issues/2" +aliases = ["CVE-2019-16880"] categories = ["memory-corruption"] +date = "2019-09-14" keywords = ["double free"] -description = """ +url = "https://github.com/strake/linea.rs/issues/2" + +[versions] +patched = ["> 0.9.4"] +``` + +# `Matrix::zip_elements` causes double free + Affected versions of this crate did not properly implements the `Matrix::zip_elements` method, which causes an double free when the given trait implementation might panic. This allows an attacker to corrupt or take control of the memory. The flaw was corrected by Phosphorus15. -""" -aliases = ["CVE-2019-16880"] - -[versions] -patched = ["> 0.9.4"] diff --git a/crates/linked-hash-map/RUSTSEC-2020-0026.toml b/crates/linked-hash-map/RUSTSEC-2020-0026.md similarity index 83% rename from crates/linked-hash-map/RUSTSEC-2020-0026.toml rename to crates/linked-hash-map/RUSTSEC-2020-0026.md index 41e08d68..411fc1df 100644 --- a/crates/linked-hash-map/RUSTSEC-2020-0026.toml +++ b/crates/linked-hash-map/RUSTSEC-2020-0026.md @@ -1,19 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2020-0026" -aliases = ["CVE-2020-25573"] package = "linked-hash-map" +aliases = ["CVE-2020-25573"] date = "2020-06-23" informational = "unsound" - -title = "linked-hash-map creates uninitialized NonNull pointer" url = "https://github.com/contain-rs/linked-hash-map/pull/100" -description = """ +[versions] +patched = [">= 0.5.3"] +``` + +# linked-hash-map creates uninitialized NonNull pointer + Affected versions of this crate called `mem::uninitialized()` to create a `NonNull`, which is undefined behavior. The flaw was corrected by avoiding the use of `mem::uninitialized()`. -""" - -[versions] -patched = [">= 0.5.3"] diff --git a/crates/lucet-runtime-internals/RUSTSEC-2020-0004.toml b/crates/lucet-runtime-internals/RUSTSEC-2020-0004.md similarity index 88% rename from crates/lucet-runtime-internals/RUSTSEC-2020-0004.toml rename to crates/lucet-runtime-internals/RUSTSEC-2020-0004.md index 9674de8b..22126dd2 100644 --- a/crates/lucet-runtime-internals/RUSTSEC-2020-0004.toml +++ b/crates/lucet-runtime-internals/RUSTSEC-2020-0004.md @@ -1,11 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2020-0004" package = "lucet-runtime-internals" -date = "2020-01-24" -title = "sigstack allocation bug can cause memory corruption or leak" -url = "https://github.com/bytecodealliance/lucet/pull/401" categories = ["memory-corruption", "memory-exposure"] -description = """ +date = "2020-01-24" +url = "https://github.com/bytecodealliance/lucet/pull/401" + +[versions] +patched = ["< 0.5.0, >= 0.4.3", ">= 0.5.1"] +``` + +# sigstack allocation bug can cause memory corruption or leak + An embedding using affected versions of lucet-runtime configured to use non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode without optimizations, could leak data from the signal handler stack to guest @@ -13,7 +19,3 @@ programs. This can potentially cause data from the embedding host to leak to guest programs or cause corruption of guest program memory. This flaw was resolved by correcting the sigstack allocation logic. -""" - -[versions] -patched = ["< 0.5.0, >= 0.4.3", ">= 0.5.1"] diff --git a/crates/lz4-compress/RUSTSEC-2017-0007.toml b/crates/lz4-compress/RUSTSEC-2017-0007.md similarity index 84% rename from crates/lz4-compress/RUSTSEC-2017-0007.toml rename to crates/lz4-compress/RUSTSEC-2017-0007.md index d158a912..b2af55fe 100644 --- a/crates/lz4-compress/RUSTSEC-2017-0007.toml +++ b/crates/lz4-compress/RUSTSEC-2017-0007.md @@ -1,18 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2017-0007" package = "lz4-compress" -title = "lz4-compress is unmaintained" +date = "2017-04-17" informational = "unmaintained" -date = "2017-04-17" # last release on crates.io url = "https://gitlab.redox-os.org/redox-os/tfs/issues/89" -description = """ + +[versions] +patched = [] +unaffected = [] +``` + +# lz4-compress is unmaintained + [According to the developers](https://gitlab.redox-os.org/redox-os/tfs/issues/89) this crate is no longer maintained. The suggested alternative is [`lz4-compression`](https://crates.io/crates/lz4-compression), a maintained fork of `lz4-compress`. See also [lz-fear](https://crates.io/crates/lz-fear) which is compatible with the reference LZ4 implementation in C, but not with lz4-compress. -""" - -[versions] -unaffected = [] -patched = [] diff --git a/crates/memoffset/RUSTSEC-2019-0011.toml b/crates/memoffset/RUSTSEC-2019-0011.md similarity index 79% rename from crates/memoffset/RUSTSEC-2019-0011.toml rename to crates/memoffset/RUSTSEC-2019-0011.md index d645a043..5bf67875 100644 --- a/crates/memoffset/RUSTSEC-2019-0011.toml +++ b/crates/memoffset/RUSTSEC-2019-0011.md @@ -1,17 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2019-0011" package = "memoffset" +aliases = ["CVE-2019-15553"] date = "2019-07-16" informational = "unsound" -title = "Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code" url = "https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490" -description = """ + +[versions] +patched = [">= 0.5.0"] +``` + +# Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code + Affected versions of this crate caused traps and/or memory unsafety by zero-initializing references. They also could lead to uninitialized memory being dropped if the field for which the offset is requested was behind a deref coercion, and that deref coercion caused a panic. The flaw was corrected by using `MaybeUninit`. -""" -aliases = ["CVE-2019-15553"] - -[versions] -patched = [">= 0.5.0"] diff --git a/crates/mozwire/RUSTSEC-2020-0030.toml b/crates/mozwire/RUSTSEC-2020-0030.md similarity index 84% rename from crates/mozwire/RUSTSEC-2020-0030.toml rename to crates/mozwire/RUSTSEC-2020-0030.md index 4ab088b4..eb670fd6 100644 --- a/crates/mozwire/RUSTSEC-2020-0030.toml +++ b/crates/mozwire/RUSTSEC-2020-0030.md @@ -1,12 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0030" package = "mozwire" -date = "2020-08-18" -title = "Missing sanitazion in mozwire allows local file overwrite of files ending in .conf" -url = "https://github.com/NilsIrl/MozWire/issues/14" categories = [] +date = "2020-08-18" keywords = ["file-overwrite"] -description = """ +url = "https://github.com/NilsIrl/MozWire/issues/14" + +[versions] +patched = ["> 0.4.1"] +``` + +# Missing sanitazion in mozwire allows local file overwrite of files ending in .conf + The client software downloaded a list of servers from mozilla's servers and created local files named after the hostname field in the json document. @@ -15,6 +21,3 @@ No verification of the content of the string was made, and it could therefore ha This allows an attacker in controll of mozilla's servers to overwrite/create local files named .conf. The flaw was corrected by sanitizing the hostname field. -""" -[versions] -patched = ["> 0.4.1"] diff --git a/crates/ncurses/RUSTSEC-2019-0006.toml b/crates/ncurses/RUSTSEC-2019-0006.md similarity index 87% rename from crates/ncurses/RUSTSEC-2019-0006.toml rename to crates/ncurses/RUSTSEC-2019-0006.md index c43ac17b..1a4eae39 100644 --- a/crates/ncurses/RUSTSEC-2019-0006.toml +++ b/crates/ncurses/RUSTSEC-2019-0006.md @@ -1,10 +1,24 @@ +```toml [advisory] id = "RUSTSEC-2019-0006" package = "ncurses" +aliases = ["CVE-2019-15547", "CVE-2019-15548"] date = "2019-06-15" -title = "Buffer overflow and format vulnerabilities in functions exposed without unsafe" url = "https://github.com/RustSec/advisory-db/issues/106" -description = """ + +[affected.functions] +"ncurses::instr" = [">= 0"] +"ncurses::mvprintw" = [">= 0"] +"ncurses::mvwinstr" = [">= 0"] +"ncurses::mvwprintw" = [">= 0"] +"ncurses::printw" = [">= 0"] + +[versions] +patched = [] +``` + +# Buffer overflow and format vulnerabilities in functions exposed without unsafe + `ncurses` exposes functions from the ncurses library which: - Pass buffers without length to C functions that may write an arbitrary amount of @@ -12,15 +26,3 @@ description = """ - Passes rust &str to strings expecting C format arguments, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory (functions in the `printw` family). -""" -aliases = ["CVE-2019-15547", "CVE-2019-15548"] - -[affected.functions] -"ncurses::instr" = [">= 0"] -"ncurses::mvwinstr" = [">= 0"] -"ncurses::printw" = [">= 0"] -"ncurses::mvprintw" = [">= 0"] -"ncurses::mvwprintw" = [">= 0"] - -[versions] -patched = [] diff --git a/crates/net2/RUSTSEC-2020-0016.toml b/crates/net2/RUSTSEC-2020-0016.md similarity index 70% rename from crates/net2/RUSTSEC-2020-0016.toml rename to crates/net2/RUSTSEC-2020-0016.md index 12a8921c..3ac477ce 100644 --- a/crates/net2/RUSTSEC-2020-0016.toml +++ b/crates/net2/RUSTSEC-2020-0016.md @@ -1,15 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2020-0016" package = "net2" -date = "2020-05-01" # date when deprecation was announced on project README -title = "`net2` crate has been deprecated; use `socket2` instead" +date = "2020-05-01" informational = "unmaintained" url = "https://github.com/deprecrated/net2-rs/commit/3350e3819adf151709047e93f25583a5df681091" -description = """ -The [`net2`](https://crates.io/crates/net2) crate has been deprecated -and users are encouraged to considered [`socket2`](https://crates.io/crates/socket2) instead. -""" [versions] -unaffected = [] patched = [] +unaffected = [] +``` + +# `net2` crate has been deprecated; use `socket2` instead + +The [`net2`](https://crates.io/crates/net2) crate has been deprecated +and users are encouraged to considered [`socket2`](https://crates.io/crates/socket2) instead. diff --git a/crates/obstack/RUSTSEC-2020-0040.toml b/crates/obstack/RUSTSEC-2020-0040.md similarity index 79% rename from crates/obstack/RUSTSEC-2020-0040.toml rename to crates/obstack/RUSTSEC-2020-0040.md index e7213c59..87e7b1be 100644 --- a/crates/obstack/RUSTSEC-2020-0040.toml +++ b/crates/obstack/RUSTSEC-2020-0040.md @@ -1,13 +1,14 @@ +```toml [advisory] id = "RUSTSEC-2020-0040" package = "obstack" date = "2020-09-03" informational = "unsound" -title = "Obstack generates unaligned references" url = "https://github.com/petertodd/rust-obstack/issues/4" -description = """ -Obstack generates unaligned references for types that require a large alignment. -""" - [versions] patched = [">= 0.1.4"] +``` + +# Obstack generates unaligned references + +Obstack generates unaligned references for types that require a large alignment. diff --git a/crates/once_cell/RUSTSEC-2019-0017.toml b/crates/once_cell/RUSTSEC-2019-0017.md similarity index 87% rename from crates/once_cell/RUSTSEC-2019-0017.toml rename to crates/once_cell/RUSTSEC-2019-0017.md index 06a87127..a6ecf424 100644 --- a/crates/once_cell/RUSTSEC-2019-0017.toml +++ b/crates/once_cell/RUSTSEC-2019-0017.md @@ -1,25 +1,27 @@ +```toml [advisory] id = "RUSTSEC-2019-0017" package = "once_cell" +aliases = ["CVE-2019-16141"] date = "2019-09-01" -title = "Panic during initialization of Lazy might trigger undefined behavior" -url = "https://github.com/matklad/once_cell/issues/46" keywords = ["undefined_behavior"] -description = """ +url = "https://github.com/matklad/once_cell/issues/46" + +[affected.functions] +"once_cell::sync::Lazy::deref" = ["< 1.0.1, >= 0.2.5"] +"once_cell::sync::Lazy::force" = ["< 1.0.1, >= 0.2.5"] +"once_cell::unsync::Lazy::deref" = ["< 1.0.1, >= 0.2.5"] +"once_cell::unsync::Lazy::force" = ["< 1.0.1, >= 0.2.5"] + +[versions] +patched = [">= 1.0.1"] +unaffected = ["< 0.2.5"] +``` + +# Panic during initialization of Lazy might trigger undefined behavior + If during the first dereference of Lazy the initialization function panics, subsequent derefernces will execute `std::hints::unreachable_unchecked`. Applications with `panic = "abort"` are not affected, as there will be no subsequent dereferences. -""" -aliases = ["CVE-2019-16141"] - -[affected.functions] -"once_cell::unsync::Lazy::force" = ["< 1.0.1, >= 0.2.5"] -"once_cell::unsync::Lazy::deref" = ["< 1.0.1, >= 0.2.5"] -"once_cell::sync::Lazy::force" = ["< 1.0.1, >= 0.2.5"] -"once_cell::sync::Lazy::deref" = ["< 1.0.1, >= 0.2.5"] - -[versions] -patched = [">= 1.0.1"] -unaffected = ["< 0.2.5"] diff --git a/crates/openssl-src/RUSTSEC-2020-0015.toml b/crates/openssl-src/RUSTSEC-2020-0015.md similarity index 88% rename from crates/openssl-src/RUSTSEC-2020-0015.toml rename to crates/openssl-src/RUSTSEC-2020-0015.md index aacfa93c..a9f17e2a 100644 --- a/crates/openssl-src/RUSTSEC-2020-0015.toml +++ b/crates/openssl-src/RUSTSEC-2020-0015.md @@ -1,18 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2020-0015" package = "openssl-src" -date = "2020-04-25" -title = "Crash causing Denial of Service attack" -url = "https://www.openssl.org/news/secadv/20200421.txt" -categories = ["denial-of-service"] -description = """ -Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 -handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the -"signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature -algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of -Service attack.""" aliases = ["CVE-2020-1967"] +categories = ["denial-of-service"] +date = "2020-04-25" +url = "https://www.openssl.org/news/secadv/20200421.txt" [versions] patched = [">= 111.9.0+1.1.1g"] unaffected = ["< 111.6.0+1.1.1d"] +``` + +# Crash causing Denial of Service attack + +Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 +handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the +"signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature +algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of +Service attack. diff --git a/crates/openssl/RUSTSEC-2016-0001.toml b/crates/openssl/RUSTSEC-2016-0001.md similarity index 90% rename from crates/openssl/RUSTSEC-2016-0001.toml rename to crates/openssl/RUSTSEC-2016-0001.md index 2ab962a6..90df4062 100644 --- a/crates/openssl/RUSTSEC-2016-0001.toml +++ b/crates/openssl/RUSTSEC-2016-0001.md @@ -1,11 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2016-0001" package = "openssl" +aliases = ["CVE-2016-10931"] date = "2016-11-05" keywords = ["ssl", "mitm"] url = "https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0" -title = "SSL/TLS MitM vulnerability due to insecure defaults" -description = """ +[versions] +patched = [">= 0.9.0"] +``` + +# SSL/TLS MitM vulnerability due to insecure defaults + All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. @@ -17,8 +23,3 @@ The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the `SslConnector` and `SslAcceptor` types to take advantage of these new features (as opposed to the lower-level `SslContext` type). -""" -aliases = ["CVE-2016-10931"] - -[versions] -patched = [">= 0.9.0"] diff --git a/crates/openssl/RUSTSEC-2018-0010.toml b/crates/openssl/RUSTSEC-2018-0010.md similarity index 65% rename from crates/openssl/RUSTSEC-2018-0010.toml rename to crates/openssl/RUSTSEC-2018-0010.md index 8fd8c831..926f57e2 100644 --- a/crates/openssl/RUSTSEC-2018-0010.toml +++ b/crates/openssl/RUSTSEC-2018-0010.md @@ -1,13 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2018-0010" package = "openssl" -date = "2018-06-01" -title = "Use after free in CMS Signing" -url = "https://github.com/sfackler/rust-openssl/pull/942" -keywords = ["memory-corruption"] -description = "Affected versions of the OpenSSL crate used structures after they'd been freed." aliases = ["CVE-2018-20997"] +date = "2018-06-01" +keywords = ["memory-corruption"] +url = "https://github.com/sfackler/rust-openssl/pull/942" [versions] patched = [">= 0.10.9"] unaffected = ["< 0.10.8"] +``` + +# Use after free in CMS Signing + +Affected versions of the OpenSSL crate used structures after they'd been freed. diff --git a/crates/ordnung/RUSTSEC-2020-0038.toml b/crates/ordnung/RUSTSEC-2020-0038.md similarity index 85% rename from crates/ordnung/RUSTSEC-2020-0038.toml rename to crates/ordnung/RUSTSEC-2020-0038.md index 706362a4..1e68fc27 100644 --- a/crates/ordnung/RUSTSEC-2020-0038.toml +++ b/crates/ordnung/RUSTSEC-2020-0038.md @@ -1,15 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2020-0038" package = "ordnung" date = "2020-09-03" -title = "Memory safety issues in `compact::Vec`" url = "https://github.com/maciejhirsz/ordnung/issues/8" -description = """ + +[versions] +patched = [] +``` + +# Memory safety issues in `compact::Vec` + `compact::Vec` contains multiple memory safety issues. 1. It mishandles large capacity and causes out-of-bound access in 32-bit / allocator layout mismatch in 64-bit. 2. `remove()` is not panic-safe and causes double-free when an index larger than the length is provided. -""" - -[versions] -patched = [] diff --git a/crates/orion/RUSTSEC-2018-0012.toml b/crates/orion/RUSTSEC-2018-0012.md similarity index 81% rename from crates/orion/RUSTSEC-2018-0012.toml rename to crates/orion/RUSTSEC-2018-0012.md index c7b2d919..3fa024ef 100644 --- a/crates/orion/RUSTSEC-2018-0012.toml +++ b/crates/orion/RUSTSEC-2018-0012.md @@ -1,17 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2018-0012" package = "orion" +aliases = ["CVE-2018-20999"] date = "2018-12-20" -title = "Flaw in streaming state reset() functions can create incorrect results." url = "https://github.com/brycx/orion/issues/46" -description = """ + +[versions] +patched = [">= 0.11.2"] +``` + +# Flaw in streaming state reset() functions can create incorrect results. + Affected versions of this crate did not properly reset a streaming state. Resetting a streaming state, without finalising it first, creates incorrect results. The flaw was corrected by not first checking if the state had already been reset, when calling reset(). -""" -aliases = ["CVE-2018-20999"] - -[versions] -patched = [">= 0.11.2"] diff --git a/crates/os_str_bytes/RUSTSEC-2020-0012.toml b/crates/os_str_bytes/RUSTSEC-2020-0012.md similarity index 85% rename from crates/os_str_bytes/RUSTSEC-2020-0012.toml rename to crates/os_str_bytes/RUSTSEC-2020-0012.md index 1bbee6bd..1e826c28 100644 --- a/crates/os_str_bytes/RUSTSEC-2020-0012.toml +++ b/crates/os_str_bytes/RUSTSEC-2020-0012.md @@ -1,10 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2020-0012" package = "os_str_bytes" date = "2020-04-24" -title = "Relies on undefined behavior of `char::from_u32_unchecked`" url = "https://github.com/dylni/os_str_bytes/pull/1" -description = """ + +[affected] +os = ["windows"] + +[versions] +patched = [">= 2.0.0"] +``` + +# Relies on undefined behavior of `char::from_u32_unchecked` + The Windows implementation of this crate relied on the behavior of `std::char::from_u32_unchecked` when its safety clause is violated. Even though this worked with Rust versions up to 1.42 (at least), @@ -12,10 +21,3 @@ that behavior could change with any new Rust version, possibly leading a security issue. The flaw was corrected in version 2.0.0. -""" - -[affected] -os = ["windows"] - -[versions] -patched = [">= 2.0.0"] diff --git a/crates/ozone/RUSTSEC-2020-0022.toml b/crates/ozone/RUSTSEC-2020-0022.md similarity index 84% rename from crates/ozone/RUSTSEC-2020-0022.toml rename to crates/ozone/RUSTSEC-2020-0022.md index 924cf428..933e3833 100644 --- a/crates/ozone/RUSTSEC-2020-0022.toml +++ b/crates/ozone/RUSTSEC-2020-0022.md @@ -1,12 +1,14 @@ +```toml [advisory] id = "RUSTSEC-2020-0022" package = "ozone" date = "2020-07-04" -title = "Ozone contains several memory safety issues" -description = """ -Ozone contains several memory safety issues including [out-of-bound access](https://github.com/bqv/ozone/blob/e21f948b0178ab305f644118f18d87a838c618e0/src/buffer.rs#L38-L48) -and dropping of [uninitialized memory](https://github.com/bqv/ozone/blob/e21f948b0178ab305f644118f18d87a838c618e0/src/map.rs#L94-L101). -""" [versions] patched = [] +``` + +# Ozone contains several memory safety issues + +Ozone contains several memory safety issues including [out-of-bound access](https://github.com/bqv/ozone/blob/e21f948b0178ab305f644118f18d87a838c618e0/src/buffer.rs#L38-L48) +and dropping of [uninitialized memory](https://github.com/bqv/ozone/blob/e21f948b0178ab305f644118f18d87a838c618e0/src/map.rs#L94-L101). diff --git a/crates/pancurses/RUSTSEC-2019-0005.toml b/crates/pancurses/RUSTSEC-2019-0005.md similarity index 86% rename from crates/pancurses/RUSTSEC-2019-0005.toml rename to crates/pancurses/RUSTSEC-2019-0005.md index 511fca0b..f09ca2fd 100644 --- a/crates/pancurses/RUSTSEC-2019-0005.toml +++ b/crates/pancurses/RUSTSEC-2019-0005.md @@ -1,15 +1,10 @@ +```toml [advisory] id = "RUSTSEC-2019-0005" package = "pancurses" -date = "2019-06-15" -title = "Format string vulnerabilities in `pancurses`" -url = "https://github.com/RustSec/advisory-db/issues/106" -description = """ -`pancurses::mvprintw` and `pancurses::printw` passes a pointer from a rust `&str` to C, -allowing hostile input to execute a format string attack, which trivially allows writing -arbitrary data to stack memory. -""" aliases = ["CVE-2019-15546"] +date = "2019-06-15" +url = "https://github.com/RustSec/advisory-db/issues/106" [affected.functions] "pancurses::mvprintw" = [">= 0"] @@ -17,3 +12,10 @@ aliases = ["CVE-2019-15546"] [versions] patched = [] +``` + +# Format string vulnerabilities in `pancurses` + +`pancurses::mvprintw` and `pancurses::printw` passes a pointer from a rust `&str` to C, +allowing hostile input to execute a format string attack, which trivially allows writing +arbitrary data to stack memory. diff --git a/crates/plutonium/RUSTSEC-2020-0011.toml b/crates/plutonium/RUSTSEC-2020-0011.md similarity index 82% rename from crates/plutonium/RUSTSEC-2020-0011.toml rename to crates/plutonium/RUSTSEC-2020-0011.md index 4fad5f14..3fede1bf 100644 --- a/crates/plutonium/RUSTSEC-2020-0011.toml +++ b/crates/plutonium/RUSTSEC-2020-0011.md @@ -1,15 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0011" package = "plutonium" date = "2020-04-23" -yanked = true informational = "notice" -title = "Library exclusively intended to obfuscate code." url = "https://docs.rs/plutonium/0.2.2/plutonium/" -description = """ +yanked = true + +[versions] +patched = [] +``` + +# Library exclusively intended to obfuscate code. + This crate allows you to write safe functions with unsafe bodies without the `unsafe` keyword. The value this adds is questionable, and hides `unsafe` usages from naive analysis. -""" -[versions] -patched = [] diff --git a/crates/pnet/RUSTSEC-2019-0037.toml b/crates/pnet/RUSTSEC-2019-0037.md similarity index 71% rename from crates/pnet/RUSTSEC-2019-0037.toml rename to crates/pnet/RUSTSEC-2019-0037.md index f8ec9ce1..491bd927 100644 --- a/crates/pnet/RUSTSEC-2019-0037.toml +++ b/crates/pnet/RUSTSEC-2019-0037.md @@ -1,18 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2019-0037" package = "pnet" -date = "2019-06-11" -title = "Compiler optimisation for next_with_timeout in pnet::transport::IcmpTransportChannelIterator flaws to SEGFAULT" -url = "https://github.com/libpnet/libpnet/issues/449" categories = ["memory-corruption"] cvss = "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H" +date = "2019-06-11" keywords = ["segfault"] -description = """ -Affected versions of this crate were optimized out by compiler, -which caused dereference of uninitialized file descriptor which caused segfault. -""" +url = "https://github.com/libpnet/libpnet/issues/449" [affected.functions] "pnet::transport::IcmpTransportChannelIterator" = ["< 0.26.0"] - [versions] -patched = [">= 0.26.0"] # no patch exists yet +patched = [">= 0.26.0"] +``` + +# Compiler optimisation for next_with_timeout in pnet::transport::IcmpTransportChannelIterator flaws to SEGFAULT + +Affected versions of this crate were optimized out by compiler, +which caused dereference of uninitialized file descriptor which caused segfault. diff --git a/crates/portaudio-rs/RUSTSEC-2019-0022.toml b/crates/portaudio-rs/RUSTSEC-2019-0022.md similarity index 90% rename from crates/portaudio-rs/RUSTSEC-2019-0022.toml rename to crates/portaudio-rs/RUSTSEC-2019-0022.md index b3b7371c..905021dc 100644 --- a/crates/portaudio-rs/RUSTSEC-2019-0022.toml +++ b/crates/portaudio-rs/RUSTSEC-2019-0022.md @@ -1,12 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2019-0022" package = "portaudio-rs" -date = "2019-09-14" -title = "Stream callback function is not unwind safe" -url = "https://github.com/mvdnes/portaudio-rs/issues/20" +aliases = ["CVE-2019-16881"] categories = ["code-execution", "memory-corruption"] +date = "2019-09-14" keywords = ["audio", "ffi"] -description = """ +url = "https://github.com/mvdnes/portaudio-rs/issues/20" + +[versions] +patched = ["> 0.3.1"] +``` + +# Stream callback function is not unwind safe + Affected versions of this crate is not panic safe within callback functions `stream_callback` and `stream_finished_callback`. The call to user-provided closure might panic before a `mem::forget` call, which then causes a use after free that grants attacker to control the callback function pointer. @@ -14,8 +21,3 @@ The call to user-provided closure might panic before a `mem::forget` call, which This allows an attacker to construct an arbitrary code execution . The flaw was reported by Phosphorus15. -""" -aliases = ["CVE-2019-16881"] - -[versions] -patched = ["> 0.3.1"] diff --git a/crates/portaudio/RUSTSEC-2016-0003.toml b/crates/portaudio/RUSTSEC-2016-0003.md similarity index 84% rename from crates/portaudio/RUSTSEC-2016-0003.toml rename to crates/portaudio/RUSTSEC-2016-0003.md index 0644245b..8f720fbb 100644 --- a/crates/portaudio/RUSTSEC-2016-0003.toml +++ b/crates/portaudio/RUSTSEC-2016-0003.md @@ -1,18 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2016-0003" package = "portaudio" +aliases = ["CVE-2016-10933"] date = "2016-08-01" -title = "HTTP download and execution allows MitM RCE" -url = "https://github.com/RustAudio/rust-portaudio/issues/144" keywords = ["ssl", "mitm"] -description = """ +url = "https://github.com/RustAudio/rust-portaudio/issues/144" + +[versions] +patched = [] +``` + +# HTTP download and execution allows MitM RCE + The build script in the portaudio crate will attempt to download via HTTP the portaudio source and build it. A Mallory in the middle can intercept the download with their own archive and get RCE. -""" -aliases = ["CVE-2016-10933"] - -[versions] -patched = [] diff --git a/crates/prost/RUSTSEC-2020-0002.toml b/crates/prost/RUSTSEC-2020-0002.md similarity index 87% rename from crates/prost/RUSTSEC-2020-0002.toml rename to crates/prost/RUSTSEC-2020-0002.md index 6c84deaf..45c529fa 100644 --- a/crates/prost/RUSTSEC-2020-0002.toml +++ b/crates/prost/RUSTSEC-2020-0002.md @@ -1,12 +1,18 @@ +```toml [advisory] +categories = ["denial-of-service", "memory-corruption"] +date = "2020-01-16" id = "RUSTSEC-2020-0002" package = "prost" -date = "2020-01-16" -title = "Parsing a specially crafted message can result in a stack overflow" -url = "https://github.com/danburkert/prost/issues/267" -categories = ["denial-of-service", "memory-corruption"] keywords = ["stack overflow"] -description = """ +url = "https://github.com/danburkert/prost/issues/267" + +[versions] +patched = [">= 0.6.1"] +``` + +# Parsing a specially crafted message can result in a stack overflow + Affected versions of this crate contained a bug in which decoding untrusted input could overflow the stack. @@ -16,7 +22,3 @@ overflowing the stack is unsound and can result in potential memory corruption (or even RCE). The flaw was quickly corrected by @danburkert and released in version 0.6.1. -""" - -[versions] -patched = [">= 0.6.1"] diff --git a/crates/protobuf/RUSTSEC-2019-0003.toml b/crates/protobuf/RUSTSEC-2019-0003.md similarity index 87% rename from crates/protobuf/RUSTSEC-2019-0003.toml rename to crates/protobuf/RUSTSEC-2019-0003.md index 32ff64ce..b96ae7ea 100644 --- a/crates/protobuf/RUSTSEC-2019-0003.toml +++ b/crates/protobuf/RUSTSEC-2019-0003.md @@ -1,21 +1,23 @@ +```toml [advisory] id = "RUSTSEC-2019-0003" package = "protobuf" -date = "2019-06-08" -title = "Out of Memory in stream::read_raw_bytes_into()" -url = "https://github.com/stepancheg/rust-protobuf/issues/411" -categories = ["denial-of-service"] -keywords = ["oom", "panic"] -description = """ -Affected versions of this crate called Vec::reserve() on user-supplied input. - -This allows an attacker to cause an Out of Memory condition while calling the -vulnerable method on untrusted data. -""" aliases = ["CVE-2019-15544"] +categories = ["denial-of-service"] +date = "2019-06-08" +keywords = ["oom", "panic"] +url = "https://github.com/stepancheg/rust-protobuf/issues/411" [affected.functions] "protobuf::stream::read_raw_bytes_into" = ["< 2.6.0"] [versions] patched = ["^1.7.5", ">= 2.6.0"] +``` + +# Out of Memory in stream::read_raw_bytes_into() + +Affected versions of this crate called Vec::reserve() on user-supplied input. + +This allows an attacker to cause an Out of Memory condition while calling the +vulnerable method on untrusted data. diff --git a/crates/quickersort/RUSTSEC-2018-0016.toml b/crates/quickersort/RUSTSEC-2018-0016.md similarity index 88% rename from crates/quickersort/RUSTSEC-2018-0016.toml rename to crates/quickersort/RUSTSEC-2018-0016.md index d0863a34..84d9002f 100644 --- a/crates/quickersort/RUSTSEC-2018-0016.toml +++ b/crates/quickersort/RUSTSEC-2018-0016.md @@ -1,18 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2018-0016" package = "quickersort" date = "2018-06-30" -title = "quickersort is deprecated and unmaintained" informational = "unmaintained" url = "https://github.com/notriddle/quickersort/commit/0bc164366315801f0c6b31f4081b7df9fc894076" -description = """ + +[versions] +patched = [] +unaffected = ["> 3.0.1"] +``` + +# quickersort is deprecated and unmaintained + The author of the `quickersort` crate has deprecated it and does not recommend using it anymore. Everything in it has been incorporated into [std::sort_unstable] in the standard library as of Rust 1.20. [std::sort_unstable]: https://doc.rust-lang.org/stable/std/primitive.slice.html#method.sort_unstable -""" - -[versions] -patched = [] -unaffected = ["> 3.0.1"] diff --git a/crates/rand_core/RUSTSEC-2019-0035.toml b/crates/rand_core/RUSTSEC-2019-0035.md similarity index 91% rename from crates/rand_core/RUSTSEC-2019-0035.toml rename to crates/rand_core/RUSTSEC-2019-0035.md index 8ab990ae..1d2ace29 100644 --- a/crates/rand_core/RUSTSEC-2019-0035.toml +++ b/crates/rand_core/RUSTSEC-2019-0035.md @@ -1,21 +1,23 @@ +```toml [advisory] id = "RUSTSEC-2019-0035" -aliases = ["GHSA-mmc9-pwm7-qj5w", "CVE-2020-25576"] package = "rand_core" +aliases = ["GHSA-mmc9-pwm7-qj5w", "CVE-2020-25576"] date = "2019-04-19" informational = "unsound" -title = "Unaligned memory access" -description = """ +url = "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06" + +[affected.functions] +"rand_core::BlockRng::fill_bytes" = ["< 0.4.2"] +"rand_core::BlockRng::next_u64" = ["< 0.4.2"] + +[versions] +patched = [">= 0.4.2"] +``` + +# Unaligned memory access + Affected versions of this crate violated alignment when casting byte slices to integer slices, resulting in undefined behavior. The flaw was corrected by Ralf Jung and Diggory Hardy. -""" -url = "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06" - -[affected.functions] -"rand_core::BlockRng::next_u64" = ["< 0.4.2"] -"rand_core::BlockRng::fill_bytes" = ["< 0.4.2"] - -[versions] -patched = [">= 0.4.2"] diff --git a/crates/renderdoc/RUSTSEC-2019-0018.toml b/crates/renderdoc/RUSTSEC-2019-0018.md similarity index 90% rename from crates/renderdoc/RUSTSEC-2019-0018.toml rename to crates/renderdoc/RUSTSEC-2019-0018.md index 9f68bbb0..a361c02a 100644 --- a/crates/renderdoc/RUSTSEC-2019-0018.toml +++ b/crates/renderdoc/RUSTSEC-2019-0018.md @@ -1,11 +1,22 @@ +```toml [advisory] id = "RUSTSEC-2019-0018" package = "renderdoc" +aliases = ["CVE-2019-16142"] date = "2019-09-02" -title = "Internally mutating methods take immutable ref self" -url = "https://github.com/ebkalderon/renderdoc-rs/pull/32" keywords = ["undefined_behavior"] -description = """ +url = "https://github.com/ebkalderon/renderdoc-rs/pull/32" + +[affected.functions] +"renderdoc::api::RenderDocV110::trigger_multi_frame_capture" = ["< 0.5.0"] +"renderdoc::api::RenderDocV120::set_capture_file_comments" = ["< 0.5.0"] + +[versions] +patched = [">= 0.5.0"] +``` + +# Internally mutating methods take immutable ref self + Affected versions of this crate exposed several methods which took `self` by immutable reference, despite the requesting the RenderDoc API to set a mutable value internally. @@ -14,12 +25,3 @@ This is technically unsound and calling these methods from multiple threads without synchronization could lead to unexpected and unpredictable behavior. The flaw was corrected in release 0.5.0. -""" -aliases = ["CVE-2019-16142"] - -[affected.functions] -"renderdoc::api::RenderDocV110::trigger_multi_frame_capture" = ["< 0.5.0"] -"renderdoc::api::RenderDocV120::set_capture_file_comments" = ["< 0.5.0"] - -[versions] -patched = [">= 0.5.0"] diff --git a/crates/rgb/RUSTSEC-2020-0029.toml b/crates/rgb/RUSTSEC-2020-0029.md similarity index 91% rename from crates/rgb/RUSTSEC-2020-0029.toml rename to crates/rgb/RUSTSEC-2020-0029.md index ef91b8d2..947d448c 100644 --- a/crates/rgb/RUSTSEC-2020-0029.toml +++ b/crates/rgb/RUSTSEC-2020-0029.md @@ -1,13 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2020-0029" -aliases = ["CVE-2020-25016"] package = "rgb" +aliases = ["CVE-2020-25016"] date = "2020-06-14" -title = "Allows viewing and modifying arbitrary structs as bytes" -url = "https://github.com/kornelski/rust-rgb/issues/35" informational = "unsound" keywords = ["type confusion"] -description = """ +url = "https://github.com/kornelski/rust-rgb/issues/35" + +[versions] +patched = [">= 0.8.20"] +unaffected = ["< 0.5.4"] +``` + +# Allows viewing and modifying arbitrary structs as bytes + Affected versions of rgb crate allow viewing and modifying data of any type `T` wrapped in `RGB` as bytes, and do not correctly constrain `RGB` and other wrapper structures to the types for which it is safe to do so. @@ -18,7 +25,3 @@ Safety violation possible for a type wrapped in `RGB` and similar wrapper str * Any safety and/or validity invariants for `T` may be violated. The issue was resolved by requiring all types wrapped in structures provided by RGB crate to implement an unsafe marker trait. -""" -[versions] -patched = [">= 0.8.20"] -unaffected = ["< 0.5.4"] diff --git a/crates/rio/RUSTSEC-2020-0021.toml b/crates/rio/RUSTSEC-2020-0021.md similarity index 85% rename from crates/rio/RUSTSEC-2020-0021.toml rename to crates/rio/RUSTSEC-2020-0021.md index 595702bf..9a589283 100644 --- a/crates/rio/RUSTSEC-2020-0021.toml +++ b/crates/rio/RUSTSEC-2020-0021.md @@ -1,11 +1,17 @@ +```toml [advisory] +categories = ["memory-corruption", "memory-exposure"] +date = "2020-05-11" id = "RUSTSEC-2020-0021" package = "rio" -date = "2020-05-11" -title = "rio allows a use-after-free buffer access when a future is leaked" url = "https://github.com/spacejam/rio/issues/11" -categories = ["memory-corruption", "memory-exposure"] -description = """ + +[versions] +patched = [] +``` + +# rio allows a use-after-free buffer access when a future is leaked + When a `rio::Completion` is leaked, its drop code will not run. The drop code is responsible for waiting until the kernel completes the I/O operation into, or out of, the buffer borrowed by `rio::Completion`. Leaking the struct will allow @@ -13,7 +19,3 @@ one to access and/or drop the buffer, which can lead to a use-after-free, data races or leaking secrets. Upstream is not interested in fixing the issue. -""" - -[versions] -patched = [] diff --git a/crates/rmpv/RUSTSEC-2017-0006.toml b/crates/rmpv/RUSTSEC-2017-0006.md similarity index 89% rename from crates/rmpv/RUSTSEC-2017-0006.toml rename to crates/rmpv/RUSTSEC-2017-0006.md index be8af43d..c5944dce 100644 --- a/crates/rmpv/RUSTSEC-2017-0006.toml +++ b/crates/rmpv/RUSTSEC-2017-0006.md @@ -1,18 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2017-0006" package = "rmpv" -date = "2017-11-21" -title = "Unchecked vector pre-allocation" -url = "https://github.com/3Hren/msgpack-rust/issues/151" categories = ["denial-of-service"] +date = "2017-11-21" keywords = ["memory", "dos", "msgpack", "serialization", "deserialization"] -description = """ +url = "https://github.com/3Hren/msgpack-rust/issues/151" + +[versions] +patched = [">= 0.4.2"] +``` + +# Unchecked vector pre-allocation + Affected versions of this crate pre-allocate memory on deserializing raw buffers without checking whether there is sufficient data available. This allows an attacker to do denial-of-service attacks by sending small msgpack messages that allocate gigabytes of memory. -""" - -[versions] -patched = [">= 0.4.2"] diff --git a/crates/rocket/RUSTSEC-2020-0028.toml b/crates/rocket/RUSTSEC-2020-0028.md similarity index 71% rename from crates/rocket/RUSTSEC-2020-0028.toml rename to crates/rocket/RUSTSEC-2020-0028.md index 281cec89..35e600fb 100644 --- a/crates/rocket/RUSTSEC-2020-0028.toml +++ b/crates/rocket/RUSTSEC-2020-0028.md @@ -1,20 +1,22 @@ +```toml [advisory] id = "RUSTSEC-2020-0028" package = "rocket" date = "2020-05-27" informational = "unsound" -title = "`LocalRequest::clone` creates multiple mutable references to the same object" url = "https://github.com/SergioBenitez/Rocket/issues/1312" -description = """ -The affected version of `rocket` contains a `Clone` trait implementation of -`LocalRequest` that reuses the pointer to inner `Request` object. -This causes data race in rare combinations of APIs if the original and the -cloned objects are modified at the same time. -""" -[affected] -functions = { "rocket::local::LocalRequest::clone" = ["< 0.4.5, >= 0.4.0"] } +[affected.functions] +"rocket::local::LocalRequest::clone" = ["< 0.4.5, >= 0.4.0"] [versions] patched = [">= 0.4.5"] unaffected = ["< 0.4.0"] +``` + +# `LocalRequest::clone` creates multiple mutable references to the same object + +The affected version of `rocket` contains a `Clone` trait implementation of +`LocalRequest` that reuses the pointer to inner `Request` object. +This causes data race in rare combinations of APIs if the original and the +cloned objects are modified at the same time. diff --git a/crates/rulinalg/RUSTSEC-2020-0023.toml b/crates/rulinalg/RUSTSEC-2020-0023.md similarity index 68% rename from crates/rulinalg/RUSTSEC-2020-0023.toml rename to crates/rulinalg/RUSTSEC-2020-0023.md index 1ed0da35..f9e8d7c6 100644 --- a/crates/rulinalg/RUSTSEC-2020-0023.toml +++ b/crates/rulinalg/RUSTSEC-2020-0023.md @@ -1,23 +1,23 @@ +```toml [advisory] id = "RUSTSEC-2020-0023" package = "rulinalg" date = "2020-02-11" -title = "Lifetime boundary for `raw_slice` and `raw_slice_mut` are incorrect" url = "https://github.com/AtheMathmo/rulinalg/issues/201" -description = """ + +[affected.functions] +"rulinalg::matrix::RowMut::raw_slice" = [">= 0.4.0"] +"rulinalg::matrix::RowMut::raw_slice_mut" = [">= 0.4.0"] + +[versions] +patched = [] +unaffected = ["< 0.4.0"] +``` + +# Lifetime boundary for `raw_slice` and `raw_slice_mut` are incorrect + The affected version of `rulinalg` has incorrect lifetime boundary definitions for `RowMut::raw_slice` and `RowMut::raw_slice_mut`. They do not conform with Rust's borrowing rule and allows the user to create multiple mutable references to the same location. This may result in unexpected calculation result and data race if both references are used at the same time. -""" - -[affected] - - [affected.functions] - "rulinalg::matrix::RowMut::raw_slice" = [">= 0.4.0"] - "rulinalg::matrix::RowMut::raw_slice_mut" = [">= 0.4.0"] - -[versions] -patched = [] -unaffected = ["< 0.4.0"] diff --git a/crates/rusqlite/RUSTSEC-2020-0014.toml b/crates/rusqlite/RUSTSEC-2020-0014.md similarity index 91% rename from crates/rusqlite/RUSTSEC-2020-0014.toml rename to crates/rusqlite/RUSTSEC-2020-0014.md index f49c980c..ad3c920e 100644 --- a/crates/rusqlite/RUSTSEC-2020-0014.toml +++ b/crates/rusqlite/RUSTSEC-2020-0014.md @@ -1,24 +1,25 @@ +```toml [advisory] id = "RUSTSEC-2020-0014" package = "rusqlite" date = "2020-04-23" -title = "Various memory safety issues" url = "https://github.com/rusqlite/rusqlite/releases/tag/0.23.0" -description = """ +[affected.functions] +"rusqlite::Connection::get_aux" = ["< 0.23.0"] +"rusqlite::Connection::set_aux" = ["< 0.23.0"] +"rusqlite::session::Session::attach" = ["< 0.23.0"] +"rusqlite::session::Session::diff" = ["< 0.23.0"] +"rusqlite::trace::log" = ["< 0.23.0"] +"rusqlite::vtab::create_module" = ["< 0.23.0"] + +[versions] +patched = [">= 0.23.0"] +``` + +# Various memory safety issues + Several memory safety issues have been uncovered in an audit of rusqlite. See https://github.com/rusqlite/rusqlite/releases/tag/0.23.0 for a complete list. -""" - -[affected.functions] -"rusqlite::trace::log" = ["< 0.23.0"] -"rusqlite::Connection::set_aux" = ["< 0.23.0"] -"rusqlite::Connection::get_aux" = ["< 0.23.0"] -"rusqlite::vtab::create_module" = ["< 0.23.0"] -"rusqlite::session::Session::attach" = ["< 0.23.0"] -"rusqlite::session::Session::diff" = ["< 0.23.0"] - -[versions] -patched = [">= 0.23.0"] diff --git a/crates/rust-crypto/RUSTSEC-2016-0005.toml b/crates/rust-crypto/RUSTSEC-2016-0005.md similarity index 95% rename from crates/rust-crypto/RUSTSEC-2016-0005.toml rename to crates/rust-crypto/RUSTSEC-2016-0005.md index d12296c3..1367aa6f 100644 --- a/crates/rust-crypto/RUSTSEC-2016-0005.toml +++ b/crates/rust-crypto/RUSTSEC-2016-0005.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2016-0005" package = "rust-crypto" -title = "rust-crypto is unmaintained; switch to a modern alternative" +date = "2016-09-06" informational = "unmaintained" -date = "2016-09-06" # last GitHub commit url = "https://github.com/DaGenix/rust-crypto/issues/440" -description = """ + +[versions] +patched = [] +unaffected = ["> 0.2.36"] +``` + +# rust-crypto is unmaintained; switch to a modern alternative + The `rust-crypto` crate has not seen a release or GitHub commit since 2016, and its author is unresponsive. @@ -87,8 +94,3 @@ which algorithms you need: [`x25519-dalek`]: https://crates.io/crates/x25519-dalek [`xsalsa20poly1305`]: https://crates.io/crates/xsalsa20poly1305 [`orion`]: https://crates.io/crates/orion -""" - -[versions] -unaffected = ["> 0.2.36"] # last release -patched = [] diff --git a/crates/rust_sodium/RUSTSEC-2020-0003.toml b/crates/rust_sodium/RUSTSEC-2020-0003.md similarity index 84% rename from crates/rust_sodium/RUSTSEC-2020-0003.toml rename to crates/rust_sodium/RUSTSEC-2020-0003.md index f8f3fb58..d446b165 100644 --- a/crates/rust_sodium/RUSTSEC-2020-0003.toml +++ b/crates/rust_sodium/RUSTSEC-2020-0003.md @@ -1,19 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2020-0003" package = "rust_sodium" date = "2020-01-20" informational = "unmaintained" -title = "rust_sodium is unmaintained; switch to a modern alternative" -description = """ +url = "https://github.com/maidsafe/rust_sodium/pull/117" + +[versions] +patched = [] +unaffected = ["> 0.10.2"] +``` + +# rust_sodium is unmaintained; switch to a modern alternative + The `rust_sodium` crate is no longer maintained by its current owner, who advise in the repository readme that they are looking for someone else to take ownership of it. We recommend you switch to an alternative crate such as: - [`sodiumoxide`](https://crates.io/crates/sodiumoxide) -""" -url = "https://github.com/maidsafe/rust_sodium/pull/117" - -[versions] -patched = [] -unaffected = ["> 0.10.2"] diff --git a/crates/rustsec-example-crate/RUSTSEC-2019-0024.toml b/crates/rustsec-example-crate/RUSTSEC-2019-0024.md similarity index 92% rename from crates/rustsec-example-crate/RUSTSEC-2019-0024.toml rename to crates/rustsec-example-crate/RUSTSEC-2019-0024.md index e2ad1ae4..390d642c 100644 --- a/crates/rustsec-example-crate/RUSTSEC-2019-0024.toml +++ b/crates/rustsec-example-crate/RUSTSEC-2019-0024.md @@ -1,10 +1,16 @@ +```toml [advisory] id = "RUSTSEC-2019-0024" package = "rustsec-example-crate" date = "2019-10-08" url = "https://github.com/RustSec/advisory-db/issues/158" -title = "Test advisory with associated example crate" -description = """ + +[versions] +patched = [">= 1.0.0"] +``` + +# Test advisory with associated example crate + This is a test advisory useful for verifying RustSec tooling and vulnerability detection pipelines are working correctly. Aside from the fact that it is filed against an example crate, it is otherwise considered by the Advisory Database @@ -21,7 +27,3 @@ identical to the v0.0.1 release) [v0.0.1]: https://crates.io/crates/rustsec-example-crate/0.0.1 [v1.0.0]: https://crates.io/crates/rustsec-example-crate/1.0.0 -""" - -[versions] -patched = [">= 1.0.0"] diff --git a/crates/rustsec/RUSTSEC-2020-0051.toml b/crates/rustsec/RUSTSEC-2020-0051.md similarity index 81% rename from crates/rustsec/RUSTSEC-2020-0051.toml rename to crates/rustsec/RUSTSEC-2020-0051.md index 7a7288ff..82f07127 100644 --- a/crates/rustsec/RUSTSEC-2020-0051.toml +++ b/crates/rustsec/RUSTSEC-2020-0051.md @@ -1,10 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2020-0051" package = "rustsec" -title = "Obsolete versions of the `rustsec` crate do not support the new V3 advisory format" date = "2020-10-01" url = "https://github.com/RustSec/advisory-db/issues/414" -description = """ + +[versions] +patched = [] +unaffected = [">= 0.19.0"] +``` + +# Obsolete versions of the `rustsec` crate do not support the new V3 advisory format + If you are seeing this message, you are running an obsolete version of `cargo-audit` which does not support the new V3 advisory format. These versions are end-of-life. @@ -13,8 +20,3 @@ This advisory is a notice that that it will soon be unable to parse the advisory database. Please upgrade `cargo-audit` to a newer release. -""" - -[versions] -unaffected = [">= 0.19.0"] -patched = [] diff --git a/crates/safe-transmute/RUSTSEC-2018-0013.toml b/crates/safe-transmute/RUSTSEC-2018-0013.md similarity index 61% rename from crates/safe-transmute/RUSTSEC-2018-0013.toml rename to crates/safe-transmute/RUSTSEC-2018-0013.md index 55ce7ecb..b59de5eb 100644 --- a/crates/safe-transmute/RUSTSEC-2018-0013.toml +++ b/crates/safe-transmute/RUSTSEC-2018-0013.md @@ -1,23 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2018-0013" package = "safe-transmute" -date = "2018-11-27" -title = "Vec-to-vec transmutations could lead to heap overflow/corruption" -description = """ -Affected versions of this crate switched the length and capacity arguments in the Vec::from_raw_parts() constructor, -which could lead to memory corruption or data leakage. - -The flaw was corrected by using the constructor correctly. -""" -url = "https://github.com/nabijaczleweli/safe-transmute-rs/pull/36" -keywords = ["memory-corruption"] - -# TODO(tarcieri): fix linter to respect crate name -#[affected.functions] -#"safe_transmute::guarded_transmute_vec_permissive" = [">= 0.4.0, <= 0.10.0"] -#"safe_transmute::guarded_transmute_to_bytes_vec" = ["= 0.10.0"] aliases = ["CVE-2018-21000"] +date = "2018-11-27" +keywords = ["memory-corruption"] +url = "https://github.com/nabijaczleweli/safe-transmute-rs/pull/36" [versions] patched = [">= 0.10.1"] unaffected = ["< 0.4.0"] +``` + +# Vec-to-vec transmutations could lead to heap overflow/corruption + +Affected versions of this crate switched the length and capacity arguments in the Vec::from_raw_parts() constructor, +which could lead to memory corruption or data leakage. + +The flaw was corrected by using the constructor correctly. diff --git a/crates/security-framework/RUSTSEC-2017-0003.toml b/crates/security-framework/RUSTSEC-2017-0003.md similarity index 84% rename from crates/security-framework/RUSTSEC-2017-0003.toml rename to crates/security-framework/RUSTSEC-2017-0003.md index 5577db26..e55a85b1 100644 --- a/crates/security-framework/RUSTSEC-2017-0003.toml +++ b/crates/security-framework/RUSTSEC-2017-0003.md @@ -1,19 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2017-0003" package = "security-framework" +aliases = ["CVE-2017-18588"] date = "2017-03-15" keywords = ["mitm"] url = "https://github.com/sfackler/rust-security-framework/pull/27" -title = "Hostname verification skipped when custom root certs used" -description = """ + +[versions] +patched = [">= 0.1.12"] +``` + +# Hostname verification skipped when custom root certs used + If custom root certificates were registered with a `ClientBuilder`, the hostname of the target server would not be validated against its presented leaf certificate. This issue was fixed by properly configuring the trust evaluation logic to perform that check. -""" -aliases = ["CVE-2017-18588"] - -[versions] -patched = [">= 0.1.12"] diff --git a/crates/serde_cbor/RUSTSEC-2019-0025.toml b/crates/serde_cbor/RUSTSEC-2019-0025.md similarity index 87% rename from crates/serde_cbor/RUSTSEC-2019-0025.toml rename to crates/serde_cbor/RUSTSEC-2019-0025.md index 84886d34..9e005205 100644 --- a/crates/serde_cbor/RUSTSEC-2019-0025.toml +++ b/crates/serde_cbor/RUSTSEC-2019-0025.md @@ -1,18 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2019-0025" package = "serde_cbor" -date = "2019-10-03" -title = "Flaw in CBOR deserializer allows stack overflow" -url = "https://github.com/pyfisch/cbor/releases/tag/v0.10.2" categories = ["crypto-failure"] +date = "2019-10-03" keywords = ["stack-overflow", "crash", "denial-of-service"] -description = """ +url = "https://github.com/pyfisch/cbor/releases/tag/v0.10.2" + +[versions] +patched = [">= 0.10.2"] +``` + +# Flaw in CBOR deserializer allows stack overflow + Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization. This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow. The flaw was corrected by limiting the allowed number of nested tags. -""" - -[versions] -patched = [">= 0.10.2"] diff --git a/crates/serde_yaml/RUSTSEC-2018-0005.toml b/crates/serde_yaml/RUSTSEC-2018-0005.md similarity index 84% rename from crates/serde_yaml/RUSTSEC-2018-0005.toml rename to crates/serde_yaml/RUSTSEC-2018-0005.md index 201c9f1f..0e2e8cec 100644 --- a/crates/serde_yaml/RUSTSEC-2018-0005.toml +++ b/crates/serde_yaml/RUSTSEC-2018-0005.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2018-0005" package = "serde_yaml" date = "2018-09-17" -title = "Uncontrolled recursion leads to abort in deserialization" -url = "https://github.com/dtolnay/serde-yaml/pull/105" keywords = ["crash"] -description = """ +url = "https://github.com/dtolnay/serde-yaml/pull/105" + +[versions] +patched = [">= 0.8.4"] +unaffected = ["< 0.6.0-rc1"] +``` + +# Uncontrolled recursion leads to abort in deserialization + Affected versions of this crate did not properly check for recursion while deserializing aliases. @@ -13,8 +20,3 @@ This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth. -""" - -[versions] -patched = [">= 0.8.4"] -unaffected = ["< 0.6.0-rc1"] diff --git a/crates/simd-json/RUSTSEC-2019-0008.toml b/crates/simd-json/RUSTSEC-2019-0008.md similarity index 90% rename from crates/simd-json/RUSTSEC-2019-0008.toml rename to crates/simd-json/RUSTSEC-2019-0008.md index 87bf9524..289adbbd 100644 --- a/crates/simd-json/RUSTSEC-2019-0008.toml +++ b/crates/simd-json/RUSTSEC-2019-0008.md @@ -1,11 +1,22 @@ +```toml [advisory] id = "RUSTSEC-2019-0008" package = "simd-json" +aliases = ["CVE-2019-15550"] date = "2019-06-24" -title = "Flaw in string parsing can lead to crashes due to invalid memory access." -url = "https://github.com/Licenser/simdjson-rs/pull/27" keywords = ["simd"] -description = """ +url = "https://github.com/Licenser/simdjson-rs/pull/27" + +[affected] +arch = ["x86", "x86_64"] + +[versions] +patched = [">= 0.1.15"] +unaffected = ["<= 0.1.13"] +``` + +# Flaw in string parsing can lead to crashes due to invalid memory access. + The affected version of this crate did not guard against accessing memory beyond the range of its input data. A pointer cast to read the data into a 256-bit register could lead to a segmentation fault when the end plus @@ -23,12 +34,3 @@ This allows an attacker to eventually crash a service. The flaw was corrected by using a padding buffer for the last read from the input. So that we are we never read over the boundary of the input data. -""" -aliases = ["CVE-2019-15550"] - -[affected] -arch = ["x86", "x86_64"] - -[versions] -patched = [">= 0.1.15"] -unaffected = ["<= 0.1.13"] diff --git a/crates/simple-slab/RUSTSEC-2020-0039.toml b/crates/simple-slab/RUSTSEC-2020-0039.md similarity index 80% rename from crates/simple-slab/RUSTSEC-2020-0039.toml rename to crates/simple-slab/RUSTSEC-2020-0039.md index 1d27c423..6b1c1643 100644 --- a/crates/simple-slab/RUSTSEC-2020-0039.toml +++ b/crates/simple-slab/RUSTSEC-2020-0039.md @@ -1,12 +1,14 @@ +```toml [advisory] id = "RUSTSEC-2020-0039" package = "simple-slab" date = "2020-09-03" -title = "`index()` allows out-of-bound read and `remove()` has off-by-one error" url = "https://github.com/nathansizemore/simple-slab/issues/2" -description = """ -`Slab::index()` does not perform the boundary checking, which leads to out-of-bound read access. `Slab::remove()` copies an element from an invalid address due to off-by-one error, resulting in memory leakage and uninitialized memory drop. -""" [versions] patched = [">= 0.3.3"] +``` + +# `index()` allows out-of-bound read and `remove()` has off-by-one error + +`Slab::index()` does not perform the boundary checking, which leads to out-of-bound read access. `Slab::remove()` copies an element from an invalid address due to off-by-one error, resulting in memory leakage and uninitialized memory drop. diff --git a/crates/sized-chunks/RUSTSEC-2020-0041.toml b/crates/sized-chunks/RUSTSEC-2020-0041.md similarity index 88% rename from crates/sized-chunks/RUSTSEC-2020-0041.toml rename to crates/sized-chunks/RUSTSEC-2020-0041.md index 21139a19..00826c7c 100644 --- a/crates/sized-chunks/RUSTSEC-2020-0041.toml +++ b/crates/sized-chunks/RUSTSEC-2020-0041.md @@ -1,11 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2020-0041" -aliases = ["CVE-2020-25791", "CVE-2020-25792", "CVE-2020-25793", "CVE-2020-25794", "CVE-2020-25795", "CVE-2020-25796"] package = "sized-chunks" +aliases = ["CVE-2020-25791", "CVE-2020-25792", "CVE-2020-25793", "CVE-2020-25794", "CVE-2020-25795", "CVE-2020-25796"] date = "2020-09-06" -title = "Multiple soundness issues in Chunk and InlineArray" url = "https://github.com/bodil/sized-chunks/issues/11" -description = """ + +[versions] +patched = [] +``` + +# Multiple soundness issues in Chunk and InlineArray + Chunk: * Array size is not checked when constructed with `unit()` and `pair()`. @@ -15,7 +21,3 @@ Chunk: InlineArray: * Generates unaligned references for types with a large alignment requirement. -""" - -[versions] -patched = [] diff --git a/crates/slice-deque/RUSTSEC-2018-0008.toml b/crates/slice-deque/RUSTSEC-2018-0008.md similarity index 90% rename from crates/slice-deque/RUSTSEC-2018-0008.toml rename to crates/slice-deque/RUSTSEC-2018-0008.md index 6d16a904..fc0fc3b2 100644 --- a/crates/slice-deque/RUSTSEC-2018-0008.toml +++ b/crates/slice-deque/RUSTSEC-2018-0008.md @@ -1,11 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2018-0008" package = "slice-deque" +aliases = ["CVE-2018-20995"] date = "2018-12-05" -url = "https://github.com/gnzlbg/slice_deque/issues/57" keywords = ["memory-corruption", "rce"] -title = "Bug in SliceDeque::move_head_unchecked allows read of corrupted memory" -description = """ +url = "https://github.com/gnzlbg/slice_deque/issues/57" + +[versions] +patched = [">= 0.1.16"] +``` + +# Bug in SliceDeque::move_head_unchecked allows read of corrupted memory Affected versions of this crate did not properly update the head and tail of the deque when inserting and removing elements from the front @@ -21,8 +27,4 @@ containing previously dropped objects, etc. An attacker could exploit this to alter program execution. The flaw was corrected by properly updating the head and tail of the deque in -this case. """ -aliases = ["CVE-2018-20995"] - -[versions] -patched = [">= 0.1.16"] +this case. diff --git a/crates/slice-deque/RUSTSEC-2019-0002.toml b/crates/slice-deque/RUSTSEC-2019-0002.md similarity index 92% rename from crates/slice-deque/RUSTSEC-2019-0002.toml rename to crates/slice-deque/RUSTSEC-2019-0002.md index e79e0b1b..eb83acdd 100644 --- a/crates/slice-deque/RUSTSEC-2019-0002.toml +++ b/crates/slice-deque/RUSTSEC-2019-0002.md @@ -1,12 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2019-0002" package = "slice-deque" +aliases = ["CVE-2019-15543"] date = "2019-05-07" -title = "Bug in SliceDeque::move_head_unchecked corrupts its memory" -url = "https://github.com/gnzlbg/slice_deque/issues/57" keywords = ["memory-corruption", "rce"] references = ["RUSTSEC-2018-0008"] -description = """ +url = "https://github.com/gnzlbg/slice_deque/issues/57" + +[versions] +patched = [">= 0.2.0"] +``` + +# Bug in SliceDeque::move_head_unchecked corrupts its memory + Affected versions of this crate entered a corrupted state if `mem::size_of::() % allocation_granularity() != 0` and a specific allocation pattern was used: sufficiently shifting the deque elements over the mirrored @@ -21,8 +28,3 @@ whose value representation is not meaningful). This is undefined behavior. The flaw was corrected by using a pair of pointers to track the head and tail of the deque instead of a pair of indices. This pair of pointers are represented using a Rust slice. -""" -aliases = ["CVE-2019-15543"] - -[versions] -patched = [">= 0.2.0"] diff --git a/crates/smallvec/RUSTSEC-2018-0003.toml b/crates/smallvec/RUSTSEC-2018-0003.md similarity index 89% rename from crates/smallvec/RUSTSEC-2018-0003.toml rename to crates/smallvec/RUSTSEC-2018-0003.md index f66ca05d..9aa95f29 100644 --- a/crates/smallvec/RUSTSEC-2018-0003.toml +++ b/crates/smallvec/RUSTSEC-2018-0003.md @@ -1,11 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2018-0003" package = "smallvec" -url = "https://github.com/servo/rust-smallvec/issues/96" -keywords = ["memory-corruption"] -title = "Possible double free during unwinding in SmallVec::insert_many" +aliases = ["CVE-2018-20991"] date = "2018-07-19" -description = """ +keywords = ["memory-corruption"] +url = "https://github.com/servo/rust-smallvec/issues/96" + +[versions] +patched = [">= 0.6.3", "^0.3.4", "^0.4.5", "^0.5.1"] +unaffected = ["< 0.3.2"] +``` + +# Possible double free during unwinding in SmallVec::insert_many + If an iterator passed to `SmallVec::insert_many` panicked in `Iterator::next`, destructors were run during unwinding while the vector was in an inconsistent state, possibly causing a double free (a destructor running on two copies of @@ -17,9 +25,3 @@ original positions. Items may now be leaked if `Iterator::next` panics, but they will not be dropped more than once. Thank you to @Vurich for reporting this bug. -""" -aliases = ["CVE-2018-20991"] - -[versions] -unaffected = ["< 0.3.2"] -patched = [">= 0.6.3", "^0.3.4", "^0.4.5", "^0.5.1"] diff --git a/crates/smallvec/RUSTSEC-2018-0018.toml b/crates/smallvec/RUSTSEC-2018-0018.md similarity index 86% rename from crates/smallvec/RUSTSEC-2018-0018.toml rename to crates/smallvec/RUSTSEC-2018-0018.md index 6322c51d..8489129d 100644 --- a/crates/smallvec/RUSTSEC-2018-0018.toml +++ b/crates/smallvec/RUSTSEC-2018-0018.md @@ -1,18 +1,18 @@ +```toml [advisory] +date = "2018-09-25" id = "RUSTSEC-2018-0018" package = "smallvec" -date = "2018-09-25" informational = "unsound" - -title = "smallvec creates uninitialized value of any type" url = "https://github.com/servo/rust-smallvec/issues/126" -description = """ +[versions] +patched = [">= 0.6.13"] +``` + +# smallvec creates uninitialized value of any type + Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`. This is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized). The flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead. -""" - -[versions] -patched = [">= 0.6.13"] diff --git a/crates/smallvec/RUSTSEC-2019-0009.toml b/crates/smallvec/RUSTSEC-2019-0009.md similarity index 90% rename from crates/smallvec/RUSTSEC-2019-0009.toml rename to crates/smallvec/RUSTSEC-2019-0009.md index a832ff93..b634f141 100644 --- a/crates/smallvec/RUSTSEC-2019-0009.toml +++ b/crates/smallvec/RUSTSEC-2019-0009.md @@ -1,18 +1,11 @@ +```toml [advisory] id = "RUSTSEC-2019-0009" package = "smallvec" -date = "2019-06-06" -title = "Double-free and use-after-free in SmallVec::grow()" -url = "https://github.com/servo/rust-smallvec/issues/148" -keywords = ["double free", "use after free", "arbitrary code execution"] -description = """ -Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents. - -An attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution. - -Credits to @ehuss for discovering, reporting and fixing the bug. -""" aliases = ["CVE-2019-15551"] +date = "2019-06-06" +keywords = ["double free", "use after free", "arbitrary code execution"] +url = "https://github.com/servo/rust-smallvec/issues/148" [affected.functions] "smallvec::SmallVec::grow" = ["< 0.6.10, >= 0.6.5"] @@ -20,3 +13,12 @@ aliases = ["CVE-2019-15551"] [versions] patched = [">= 0.6.10"] unaffected = ["< 0.6.5"] +``` + +# Double-free and use-after-free in SmallVec::grow() + +Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents. + +An attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution. + +Credits to @ehuss for discovering, reporting and fixing the bug. diff --git a/crates/smallvec/RUSTSEC-2019-0012.toml b/crates/smallvec/RUSTSEC-2019-0012.md similarity index 90% rename from crates/smallvec/RUSTSEC-2019-0012.toml rename to crates/smallvec/RUSTSEC-2019-0012.md index 3f0951a0..c4308ae0 100644 --- a/crates/smallvec/RUSTSEC-2019-0012.toml +++ b/crates/smallvec/RUSTSEC-2019-0012.md @@ -1,18 +1,11 @@ +```toml [advisory] id = "RUSTSEC-2019-0012" package = "smallvec" -date = "2019-07-19" -title = "Memory corruption in SmallVec::grow()" -url = "https://github.com/servo/rust-smallvec/issues/149" -categories = ["code-execution", "memory-corruption"] -description = """ -Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures. - -An attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution. - -Credits to @ehuss for discovering, reporting and fixing the bug. -""" aliases = ["CVE-2019-15554"] +categories = ["code-execution", "memory-corruption"] +date = "2019-07-19" +url = "https://github.com/servo/rust-smallvec/issues/149" [affected.functions] "smallvec::SmallVec::grow" = ["< 0.6.10, >= 0.6.3"] @@ -20,3 +13,12 @@ aliases = ["CVE-2019-15554"] [versions] patched = [">= 0.6.10"] unaffected = ["< 0.6.3"] +``` + +# Memory corruption in SmallVec::grow() + +Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures. + +An attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution. + +Credits to @ehuss for discovering, reporting and fixing the bug. diff --git a/crates/sodiumoxide/RUSTSEC-2017-0001.toml b/crates/sodiumoxide/RUSTSEC-2017-0001.md similarity index 86% rename from crates/sodiumoxide/RUSTSEC-2017-0001.toml rename to crates/sodiumoxide/RUSTSEC-2017-0001.md index 3311d4b3..714d4c61 100644 --- a/crates/sodiumoxide/RUSTSEC-2017-0001.toml +++ b/crates/sodiumoxide/RUSTSEC-2017-0001.md @@ -1,3 +1,4 @@ +```toml [advisory] id = "RUSTSEC-2017-0001" package = "sodiumoxide" @@ -5,15 +6,16 @@ aliases = ["CVE-2017-1000168"] date = "2017-01-26" keywords = ["cryptography"] url = "https://github.com/dnaq/sodiumoxide/issues/154" -title = "scalarmult() vulnerable to degenerate public keys" -description = """ + +[versions] +patched = [">= 0.0.14"] +``` + +# scalarmult() vulnerable to degenerate public keys + The `scalarmult()` function included in previous versions of this crate accepted all-zero public keys, for which the resulting Diffie-Hellman shared secret will always be zero regardless of the private key used. This issue was fixed by checking for this class of keys and rejecting them if they are used. -""" - -[versions] -patched = [">= 0.0.14"] diff --git a/crates/sodiumoxide/RUSTSEC-2019-0026.toml b/crates/sodiumoxide/RUSTSEC-2019-0026.md similarity index 87% rename from crates/sodiumoxide/RUSTSEC-2019-0026.toml rename to crates/sodiumoxide/RUSTSEC-2019-0026.md index 1f7d450f..9ed6ac25 100644 --- a/crates/sodiumoxide/RUSTSEC-2019-0026.toml +++ b/crates/sodiumoxide/RUSTSEC-2019-0026.md @@ -1,3 +1,4 @@ +```toml [advisory] id = "RUSTSEC-2019-0026" package = "sodiumoxide" @@ -5,16 +6,16 @@ date = "2019-10-11" keywords = ["cryptography"] url = "https://github.com/sodiumoxide/sodiumoxide/pull/381" -title = "generichash::Digest::eq always return true" -description = """ -PartialEq implementation for generichash::Digest has compared itself to itself. - -Digest::eq always returns true and Digest::ne always returns false. -""" - [affected.functions] "sodiumoxide::crypto::generichash::Digest::eq" = ["< 0.2.5, >= 0.2.0"] "sodiumoxide::crypto::generichash::Digest::ne" = ["< 0.2.5, >= 0.2.0"] [versions] patched = [">= 0.2.5"] +``` + +# generichash::Digest::eq always return true + +PartialEq implementation for generichash::Digest has compared itself to itself. + +Digest::eq always returns true and Digest::ne always returns false. diff --git a/crates/spin/RUSTSEC-2019-0013.toml b/crates/spin/RUSTSEC-2019-0013.md similarity index 93% rename from crates/spin/RUSTSEC-2019-0013.toml rename to crates/spin/RUSTSEC-2019-0013.md index 2efa0946..4f2cd85b 100644 --- a/crates/spin/RUSTSEC-2019-0013.toml +++ b/crates/spin/RUSTSEC-2019-0013.md @@ -1,11 +1,21 @@ +```toml [advisory] id = "RUSTSEC-2019-0013" package = "spin" +aliases = ["CVE-2019-16137"] date = "2019-08-27" -title = "Wrong memory orderings in RwLock potentially violates mutual exclusion" -url = "https://github.com/mvdnes/spin-rs/issues/65" keywords = ["atomic", "ordering", "spin", "lock", "mutex", "rwlock"] -description = """ +url = "https://github.com/mvdnes/spin-rs/issues/65" + +[affected.functions] +"spin::RwLock::new" = ["< 0.5.2"] + +[versions] +patched = [">= 0.5.2"] +``` + +# Wrong memory orderings in RwLock potentially violates mutual exclusion + Wrong memory orderings inside the RwLock implementation allow for two writers to acquire the lock at the same time. The drop implementation used Ordering::Relaxed, which allows the compiler or CPU to reorder a mutable access on the locked data after the lock has been yielded. Only users of the RwLock implementation are affected. Users of Once (including users of lazy_static with the `spin_no_std` feature enabled) are NOT affected. @@ -13,11 +23,3 @@ Only users of the RwLock implementation are affected. Users of Once (including u On strongly ordered CPU architectures like x86, the only real way that this would lead to a memory corruption is if the compiler reorders an access after the lock is yielded, which is possible but in practice unlikely. It is a more serious issue on weakly ordered architectures such as ARM which, except in the presence of certain instructions, allow the hardware to decide which accesses are seen at what times. Therefore on an ARM system it is likely that using the wrong memory ordering would result in a memory corruption, even if the compiler itself doesn't reorder the memory accesses in a buggy way. The flaw was corrected by https://github.com/mvdnes/spin-rs/pull/66. -""" -aliases = ["CVE-2019-16137"] - -[affected.functions] -"spin::RwLock::new" = ["< 0.5.2"] - -[versions] -patched = [">= 0.5.2"] diff --git a/crates/spin/RUSTSEC-2019-0031.toml b/crates/spin/RUSTSEC-2019-0031.md similarity index 85% rename from crates/spin/RUSTSEC-2019-0031.toml rename to crates/spin/RUSTSEC-2019-0031.md index 090de255..5c4931e9 100644 --- a/crates/spin/RUSTSEC-2019-0031.toml +++ b/crates/spin/RUSTSEC-2019-0031.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2019-0031" package = "spin" -title = "spin is no longer actively maintained" -informational = "unmaintained" date = "2019-11-21" +informational = "unmaintained" url = "https://github.com/mvdnes/spin-rs/commit/7516c80" -description = """ + +[versions] +patched = [] +unaffected = ["> 0.5.2"] +``` + +# spin is no longer actively maintained + The author of the `spin` crate does not have time or interest to maintain it. Consider the following alternatives (all of which support `no_std`): @@ -14,8 +21,3 @@ Consider the following alternatives (all of which support `no_std`): - [`lock_api`](https://crates.io/crates/lock_api) (a subproject of `parking_lot`) - [`spinning_top`](https://github.com/rust-osdev/spinning_top) spinlock crate built on `lock_api` - [`spinning`](https://github.com/4lDO2/spinning-rs) -""" - -[versions] -patched = [] -unaffected = ["> 0.5.2"] # last release diff --git a/crates/stack/RUSTSEC-2020-0042.toml b/crates/stack/RUSTSEC-2020-0042.md similarity index 80% rename from crates/stack/RUSTSEC-2020-0042.toml rename to crates/stack/RUSTSEC-2020-0042.md index bde22e3e..a3e9be2a 100644 --- a/crates/stack/RUSTSEC-2020-0042.toml +++ b/crates/stack/RUSTSEC-2020-0042.md @@ -1,14 +1,16 @@ +```toml [advisory] id = "RUSTSEC-2020-0042" package = "stack" date = "2020-09-24" -title = "Missing check in ArrayVec leads to out-of-bounds write." url = "https://github.com/arcnmx/stack-rs/issues/4" -description = """ -ArrayVec::insert allows insertion of an element into the array object into the -specified index. Due to a missing check on the upperbound of this index, it is -possible to write out of bounds. -""" [versions] patched = [">= 0.3.1"] +``` + +# Missing check in ArrayVec leads to out-of-bounds write. + +ArrayVec::insert allows insertion of an element into the array object into the +specified index. Due to a missing check on the upperbound of this index, it is +possible to write out of bounds. diff --git a/crates/stb_truetype/RUSTSEC-2020-0020.toml b/crates/stb_truetype/RUSTSEC-2020-0020.md similarity index 67% rename from crates/stb_truetype/RUSTSEC-2020-0020.toml rename to crates/stb_truetype/RUSTSEC-2020-0020.md index 9f1822f2..a40e0f0c 100644 --- a/crates/stb_truetype/RUSTSEC-2020-0020.toml +++ b/crates/stb_truetype/RUSTSEC-2020-0020.md @@ -1,14 +1,16 @@ +```toml [advisory] id = "RUSTSEC-2020-0020" package = "stb_truetype" -date = "2020-04-18" # date when deprecation was announced on project README -title = "`stb_truetype` crate has been deprecated; use `ttf-parser` instead" +date = "2020-04-18" informational = "unmaintained" url = "https://gitlab.redox-os.org/redox-os/stb_truetype-rs/-/commit/f1f5be4794e87bfc80a4255bc3f23ed75dd77645" -description = """ -This crate was maintained for use in rusttype which has switched to use [ttf-parser](https://crates.io/crates/ttf-parser) -""" [versions] -unaffected = [] patched = [] +unaffected = [] +``` + +# `stb_truetype` crate has been deprecated; use `ttf-parser` instead + +This crate was maintained for use in rusttype which has switched to use [ttf-parser](https://crates.io/crates/ttf-parser) diff --git a/crates/streebog/RUSTSEC-2019-0030.toml b/crates/streebog/RUSTSEC-2019-0030.md similarity index 80% rename from crates/streebog/RUSTSEC-2019-0030.toml rename to crates/streebog/RUSTSEC-2019-0030.md index 4cf9be16..80ba3abe 100644 --- a/crates/streebog/RUSTSEC-2019-0030.toml +++ b/crates/streebog/RUSTSEC-2019-0030.md @@ -1,15 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2019-0030" package = "streebog" -date = "2019-10-06" -title = "Incorrect implementation of the Streebog hash functions" -url = "https://github.com/RustCrypto/hashes/pull/91" categories = ["crypto-failure"] -description = """ -Internal `update-sigma` function was implemented incorrectly and depending on -`debug-assertions` it could've caused an incorrect result or panic for certain -inputs. -""" +date = "2019-10-06" +url = "https://github.com/RustCrypto/hashes/pull/91" [versions] patched = [">= 0.8.0"] +``` + +# Incorrect implementation of the Streebog hash functions + +Internal `update-sigma` function was implemented incorrectly and depending on +`debug-assertions` it could've caused an incorrect result or panic for certain +inputs. diff --git a/crates/string-interner/RUSTSEC-2019-0023.toml b/crates/string-interner/RUSTSEC-2019-0023.md similarity index 93% rename from crates/string-interner/RUSTSEC-2019-0023.toml rename to crates/string-interner/RUSTSEC-2019-0023.md index 5865e71c..68ea10d2 100644 --- a/crates/string-interner/RUSTSEC-2019-0023.toml +++ b/crates/string-interner/RUSTSEC-2019-0023.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2019-0023" package = "string-interner" +aliases = ["CVE-2019-16882"] date = "2019-08-24" -title = "Cloned interners may read already dropped strings" -url = "https://github.com/Robbepop/string-interner/issues/9" keywords = ["use after free"] -description = """ +url = "https://github.com/Robbepop/string-interner/issues/9" + +[versions] +patched = ["^0.6.4", ">= 0.7.1"] +``` + +# Cloned interners may read already dropped strings + Affected versions of this crate did not clone contained strings when an interner is cloned. Interners have raw pointers to the contained strings, and they keep pointing the strings which the old interner owns, after the interner is cloned. If a new cloned interner is alive and the old original interner is dead, the new interner has dangling pointers to the old interner's storage, which is already dropped. @@ -19,8 +26,3 @@ This patch implements `Clone` manually to the interner type, so that the interna PR #10 was also backported to the 0.6 release line in and was released in 0.6.4. -""" -aliases = ["CVE-2019-16882"] - -[versions] -patched = ["^0.6.4", ">= 0.7.1"] diff --git a/crates/tar/RUSTSEC-2018-0002.toml b/crates/tar/RUSTSEC-2018-0002.md similarity index 92% rename from crates/tar/RUSTSEC-2018-0002.toml rename to crates/tar/RUSTSEC-2018-0002.md index 52457e2b..3a250f9f 100644 --- a/crates/tar/RUSTSEC-2018-0002.toml +++ b/crates/tar/RUSTSEC-2018-0002.md @@ -1,11 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2018-0002" package = "tar" +aliases = ["CVE-2018-20990"] +date = "2018-06-29" keywords = ["file-overwrite"] url = "https://github.com/alexcrichton/tar-rs/pull/156" -title = "Links in archives can overwrite any existing file" -date = "2018-06-29" -description = """ + +[versions] +patched = [">= 0.4.16"] +unaffected = [] +``` + +# Links in archives can overwrite any existing file + When unpacking a tarball with the `unpack_in`-family of functions it's intended that only files within the specified directory are able to be written. Tarballs with hard links or symlinks, however, can be used to overwrite any file on the @@ -20,9 +28,3 @@ rewritten on the filesystem. This has been fixed in https://github.com/alexcrichton/tar-rs/pull/156 and is published as `tar` 0.4.16. Thanks to Max Justicz for discovering this and emailing about the issue! -""" -aliases = ["CVE-2018-20990"] - -[versions] -patched = [">= 0.4.16"] -unaffected = [] diff --git a/crates/tempdir/RUSTSEC-2018-0017.toml b/crates/tempdir/RUSTSEC-2018-0017.md similarity index 67% rename from crates/tempdir/RUSTSEC-2018-0017.toml rename to crates/tempdir/RUSTSEC-2018-0017.md index 6ee045de..473030e2 100644 --- a/crates/tempdir/RUSTSEC-2018-0017.toml +++ b/crates/tempdir/RUSTSEC-2018-0017.md @@ -1,15 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2018-0017" package = "tempdir" -date = "2018-02-13" # date when deprecation was announced on project README -title = "`tempdir` crate has been deprecated; use `tempfile` instead" +date = "2018-02-13" informational = "unmaintained" url = "https://github.com/rust-lang-deprecated/tempdir/pull/46" -description = """ -The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated -and the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile). -""" [versions] -unaffected = [] patched = [] +unaffected = [] +``` + +# `tempdir` crate has been deprecated; use `tempfile` instead + +The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated +and the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile). diff --git a/crates/term/RUSTSEC-2018-0015.toml b/crates/term/RUSTSEC-2018-0015.md similarity index 83% rename from crates/term/RUSTSEC-2018-0015.toml rename to crates/term/RUSTSEC-2018-0015.md index dfc0b07e..e2a74d74 100644 --- a/crates/term/RUSTSEC-2018-0015.toml +++ b/crates/term/RUSTSEC-2018-0015.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2018-0015" package = "term" -title = "term is looking for a new maintainer" -informational = "unmaintained" date = "2018-11-19" +informational = "unmaintained" url = "https://github.com/Stebalien/term/issues/93" -description = """ + +[versions] +patched = [] +unaffected = ["> 0.6.1"] +``` + +# term is looking for a new maintainer + The author of the `term` crate does not have time to maintain it and is looking for a new maintainer. @@ -15,8 +22,3 @@ on your needs: - [`crossterm`](https://github.com/crossterm-rs/crossterm) - [`termcolor`](https://crates.io/crates/termcolor) - [`yansi`](https://crates.io/crates/yansi) -""" - -[versions] -patched = [] -unaffected = ["> 0.6.1"] # last release diff --git a/crates/tiberius/RUSTSEC-2020-0010.toml b/crates/tiberius/RUSTSEC-2020-0010.md similarity index 79% rename from crates/tiberius/RUSTSEC-2020-0010.toml rename to crates/tiberius/RUSTSEC-2020-0010.md index c381855e..b91a81e0 100644 --- a/crates/tiberius/RUSTSEC-2020-0010.toml +++ b/crates/tiberius/RUSTSEC-2020-0010.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0010" package = "tiberius" -title = "tiberius is unmaintained" +date = "2020-02-28" informational = "unmaintained" -date = "2020-02-28" # last GitHub commit url = "https://github.com/RustSec/advisory-db/issues/261" -description = """ + +[versions] +patched = [] +unaffected = ["> 0.3.2"] +``` + +# tiberius is unmaintained + The author of `tiberius` has archived the GitHub repository and left the following note: @@ -16,8 +23,3 @@ Suggested alternatives are: - [`odbc`](https://crates.io/crates/odbc) - [`sqlx`](https://github.com/launchbadge/sqlx/issues/116) (forthcoming) -""" - -[versions] -unaffected = ["> 0.3.2"] # last release -patched = [] diff --git a/crates/tiny_http/RUSTSEC-2020-0031.toml b/crates/tiny_http/RUSTSEC-2020-0031.md similarity index 85% rename from crates/tiny_http/RUSTSEC-2020-0031.toml rename to crates/tiny_http/RUSTSEC-2020-0031.md index 7ee2c79a..26373598 100644 --- a/crates/tiny_http/RUSTSEC-2020-0031.toml +++ b/crates/tiny_http/RUSTSEC-2020-0031.md @@ -1,11 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2020-0031" package = "tiny_http" date = "2020-06-16" -title = "HTTP Request smuggling through malformed Transfer Encoding headers" -url = "https://github.com/tiny-http/tiny-http/issues/173" keywords = ["http", "request-smuggling"] -description = """ +url = "https://github.com/tiny-http/tiny-http/issues/173" + +[versions] +patched = [] +``` + +# HTTP Request smuggling through malformed Transfer Encoding headers + HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing. @@ -13,7 +19,3 @@ It is possible conduct HTTP request smuggling attacks (CL:TE/TE:TE) by sending i By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. -""" - -[versions] -patched = [] diff --git a/crates/tokio-rustls/RUSTSEC-2020-0019.toml b/crates/tokio-rustls/RUSTSEC-2020-0019.md similarity index 87% rename from crates/tokio-rustls/RUSTSEC-2020-0019.toml rename to crates/tokio-rustls/RUSTSEC-2020-0019.md index f7466d77..0d3bca59 100644 --- a/crates/tokio-rustls/RUSTSEC-2020-0019.toml +++ b/crates/tokio-rustls/RUSTSEC-2020-0019.md @@ -1,20 +1,22 @@ +```toml [advisory] id = "RUSTSEC-2020-0019" package = "tokio-rustls" -date = "2020-05-19" -title = "tokio-rustls reads may cause excessive memory usage" -url = "https://github.com/tokio-rs/tls/pull/14" categories = ["denial-of-service"] +date = "2020-05-19" keywords = ["tls", "ssl", "DoS"] -description = """ +url = "https://github.com/tokio-rs/tls/pull/14" + +[versions] +patched = [">= 0.12.3, < 0.13.0", ">= 0.13.1"] +unaffected = ["< 0.12"] +``` + +# tokio-rustls reads may cause excessive memory usage + `tokio-rustls` does not call `process_new_packets` immediately after `read`, so the expected termination condition `wants_read` always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered. This may cause DoS. -""" - -[versions] -unaffected = ["< 0.12"] -patched = [">= 0.12.3, < 0.13.0", ">= 0.13.1"] diff --git a/crates/tough/RUSTSEC-2020-0024.toml b/crates/tough/RUSTSEC-2020-0024.md similarity index 91% rename from crates/tough/RUSTSEC-2020-0024.toml rename to crates/tough/RUSTSEC-2020-0024.md index 01f35270..cdc08f2a 100644 --- a/crates/tough/RUSTSEC-2020-0024.toml +++ b/crates/tough/RUSTSEC-2020-0024.md @@ -1,12 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2020-0024" package = "tough" -date = "2020-07-09" -title = "Improper uniqueness verification of signature threshold" -url = "https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49" aliases = ["CVE-2020-15093", "GHSA-5q2r-92f9-4m49"] +date = "2020-07-09" references = ["CVE-2020-6174"] -description = """ +url = "https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49" + +[versions] +patched = [">= 0.7.1"] +``` + +# Improper uniqueness verification of signature threshold + The tough library, prior to 0.7.1, does not properly verify the uniqueness of keys in the signatures provided to meet the threshold of cryptographic signatures. It allows someone with access to a valid signing key to create @@ -23,7 +29,3 @@ implementation. If you have any questions or comments about this advisory, contact AWS Security at aws-security@amazon.com. -""" - -[versions] -patched = [">= 0.7.1"] diff --git a/crates/traitobject/RUSTSEC-2020-0027.toml b/crates/traitobject/RUSTSEC-2020-0027.md similarity index 87% rename from crates/traitobject/RUSTSEC-2020-0027.toml rename to crates/traitobject/RUSTSEC-2020-0027.md index 77fdcdab..e0c0574d 100644 --- a/crates/traitobject/RUSTSEC-2020-0027.toml +++ b/crates/traitobject/RUSTSEC-2020-0027.md @@ -1,19 +1,11 @@ +```toml [advisory] id = "RUSTSEC-2020-0027" package = "traitobject" -date = "2020-06-01" -title = "traitobject assumes assumes the layout of fat pointers" -url = "https://github.com/reem/rust-traitobject/issues/7" -informational = "unsound" categories = ["memory-corruption"] -description = """ -This crate gets the data pointer from fat pointers assuming that the first -element in a fat pointer is the data pointer. This is currently true, but -it may change in a future Rust version, leading to memory corruption. - -This has been fixed in the master branch of the crate, but is has not -been released into crates.io. -""" +date = "2020-06-01" +informational = "unsound" +url = "https://github.com/reem/rust-traitobject/issues/7" [affected.functions] "traitobject::data" = [] @@ -21,3 +13,13 @@ been released into crates.io. [versions] patched = [] +``` + +# traitobject assumes assumes the layout of fat pointers + +This crate gets the data pointer from fat pointers assuming that the first +element in a fat pointer is the data pointer. This is currently true, but +it may change in a future Rust version, leading to memory corruption. + +This has been fixed in the master branch of the crate, but is has not +been released into crates.io. diff --git a/crates/trust-dns-proto/RUSTSEC-2018-0007.toml b/crates/trust-dns-proto/RUSTSEC-2018-0007.md similarity index 80% rename from crates/trust-dns-proto/RUSTSEC-2018-0007.toml rename to crates/trust-dns-proto/RUSTSEC-2018-0007.md index b3898f94..cbac69d3 100644 --- a/crates/trust-dns-proto/RUSTSEC-2018-0007.toml +++ b/crates/trust-dns-proto/RUSTSEC-2018-0007.md @@ -1,10 +1,17 @@ +```toml [advisory] id = "RUSTSEC-2018-0007" package = "trust-dns-proto" +aliases = ["CVE-2018-20994"] date = "2018-10-09" -title = "Stack overflow when parsing malicious DNS packet" -keywords = [ "stack-overflow", "crash" ] -description = """ +keywords = ["stack-overflow", "crash"] + +[versions] +patched = [">= 0.4.3", ">= 0.5.0-alpha.3"] +``` + +# Stack overflow when parsing malicious DNS packet + There's a stack overflow leading to a crash when Trust-DNS's parses a malicious DNS packet. @@ -17,8 +24,3 @@ This allows an attacker to craft a malicious DNS packet which when consumed with Trust-DNS could cause stack overflow and crash the affected software. The flaw was corrected by trust-dns-proto 0.4.3 and upcoming 0.5.0 release. -""" -aliases = ["CVE-2018-20994"] - -[versions] -patched = [">= 0.4.3", ">= 0.5.0-alpha.3" ] diff --git a/crates/trust-dns-server/RUSTSEC-2020-0001.toml b/crates/trust-dns-server/RUSTSEC-2020-0001.md similarity index 85% rename from crates/trust-dns-server/RUSTSEC-2020-0001.toml rename to crates/trust-dns-server/RUSTSEC-2020-0001.md index 5f03ee37..a7c3d5ee 100644 --- a/crates/trust-dns-server/RUSTSEC-2020-0001.toml +++ b/crates/trust-dns-server/RUSTSEC-2020-0001.md @@ -1,9 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2020-0001" package = "trust-dns-server" +categories = ["denial-of-service"] date = "2020-01-06" -title = "Stack overflow when resolving addional records from MX or SRV null targets" -description = """ +keywords = ["stack-overflow", "crash"] +url = "https://github.com/bluejekyll/trust-dns/issues/980" + +[versions] +patched = [">= 0.18.1"] +unaffected = ["< 0.16.0"] +``` + +# Stack overflow when resolving addional records from MX or SRV null targets + There's a stack overflow leading to a crash and potential DOS when processing additional records for return of MX or SRV record types from the server. @@ -17,11 +27,3 @@ no-service 86400 IN MX 0 . Prior to 0.16.0 the additional record processing was not supported by trust-dns-server. There Are no known issues with upgrading from 0.16 or 0.17 to 0.18.1. The remidy should be to upgrade to 0.18.1. If unable to do so, MX, SRV or other record types with a target to the null type, should be avoided. -""" -url = "https://github.com/bluejekyll/trust-dns/issues/980" -categories = ["denial-of-service"] -keywords = [ "stack-overflow", "crash" ] - -[versions] -patched = [">= 0.18.1"] -unaffected = ["< 0.16.0"] diff --git a/crates/untrusted/RUSTSEC-2018-0001.toml b/crates/untrusted/RUSTSEC-2018-0001.md similarity index 91% rename from crates/untrusted/RUSTSEC-2018-0001.toml rename to crates/untrusted/RUSTSEC-2018-0001.md index 8868a48c..89de5b0c 100644 --- a/crates/untrusted/RUSTSEC-2018-0001.toml +++ b/crates/untrusted/RUSTSEC-2018-0001.md @@ -1,11 +1,19 @@ +```toml [advisory] id = "RUSTSEC-2018-0001" package = "untrusted" -url = "https://github.com/briansmith/untrusted/pull/20" -keywords = ["crash"] -title = "An integer underflow could lead to panic" +aliases = ["CVE-2018-20989"] date = "2018-06-21" -description = """ +keywords = ["crash"] +url = "https://github.com/briansmith/untrusted/pull/20" + +[versions] +patched = [">= 0.6.2"] +unaffected = [] +``` + +# An integer underflow could lead to panic + A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted. @@ -17,9 +25,3 @@ affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly. -""" -aliases = ["CVE-2018-20989"] - -[versions] -patched = [">= 0.6.2"] -unaffected = [] diff --git a/crates/ws/RUSTSEC-2020-0043.toml b/crates/ws/RUSTSEC-2020-0043.md similarity index 76% rename from crates/ws/RUSTSEC-2020-0043.toml rename to crates/ws/RUSTSEC-2020-0043.md index 3c002352..90ceecab 100644 --- a/crates/ws/RUSTSEC-2020-0043.toml +++ b/crates/ws/RUSTSEC-2020-0043.md @@ -1,21 +1,20 @@ +```toml [advisory] id = "RUSTSEC-2020-0043" package = "ws" +categories = ["denial-of-service"] date = "2020-09-25" -title = "Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory" - +keywords = ["websocket", "dos", "ddos", "oom", "memory", "remotely"] url = "https://github.com/housleyjk/ws-rs/issues/291" -categories = ["denial-of-service"] -keywords = ["websocket", "dos", "ddos","oom", "memory", "remotely"] +[versions] +patched = [] +``` + +# Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory -description = """ Affected versions of this crate did not properly check and cap the growth of the outgoing buffer. This allows a remote attacker to take down the process by growing the buffer of their (single) connection until the process runs out of memory it can allocate and is killed. The flaw was corrected in the [`parity-ws` fork](https://crates.io/crates/parity-ws) (>0.10.0) by [disconnecting a client when the buffer runs full](https://github.com/housleyjk/ws-rs/pull/328). -""" - -[versions] -patched = [] diff --git a/crates/yaml-rust/RUSTSEC-2018-0006.toml b/crates/yaml-rust/RUSTSEC-2018-0006.md similarity index 90% rename from crates/yaml-rust/RUSTSEC-2018-0006.toml rename to crates/yaml-rust/RUSTSEC-2018-0006.md index 8c5e716f..643ad398 100644 --- a/crates/yaml-rust/RUSTSEC-2018-0006.toml +++ b/crates/yaml-rust/RUSTSEC-2018-0006.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "RUSTSEC-2018-0006" package = "yaml-rust" +aliases = ["CVE-2018-20993"] date = "2018-09-17" -title = "Uncontrolled recursion leads to abort in deserialization" -url = "https://github.com/chyh1990/yaml-rust/pull/109" keywords = ["crash"] -description = """ +url = "https://github.com/chyh1990/yaml-rust/pull/109" + +[versions] +patched = [">= 0.4.1"] +``` + +# Uncontrolled recursion leads to abort in deserialization + Affected versions of this crate did not prevent deep recursion while deserializing data structures. @@ -22,8 +29,3 @@ time via `include_str!`. 2. The nesting level is never deep enough to trigger the overflow in practice (at most 5). -""" -aliases = ["CVE-2018-20993"] - -[versions] -patched = [">= 0.4.1"] diff --git a/rust/cargo/CVE-2019-16760.toml b/rust/cargo/CVE-2019-16760.md similarity index 98% rename from rust/cargo/CVE-2019-16760.toml rename to rust/cargo/CVE-2019-16760.md index d5e1fe5d..fc6ad5ba 100644 --- a/rust/cargo/CVE-2019-16760.toml +++ b/rust/cargo/CVE-2019-16760.md @@ -1,11 +1,17 @@ +```toml [advisory] id = "CVE-2019-16760" package = "cargo" -date = "2019-09-30" aliases = ["GHSA-phjm-8x66-qw4r"] +date = "2019-09-30" url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/rVQ5e3TDnpQ" -title = "Cargo prior to Rust 1.26.0 may download the wrong dependency" -description = """ + +[versions] +patched = [">= 1.26.0"] +``` + +# Cargo prior to Rust 1.26.0 may download the wrong dependency + The Rust team was recently notified of a security concern when using older versions of Cargo to build crates which use the package rename feature added in newer versions of Cargo. If you're using Rust 1.26.0, released on 2018-05-10, @@ -107,7 +113,3 @@ with our [security policy][5]. [3]: https://github.com/rust-lang/cargo/pull/4953 [4]: https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992 [5]: https://www.rust-lang.org/policies/security -""" - -[versions] -patched = [">= 1.26.0"] diff --git a/rust/rustdoc/CVE-2018-1000622.toml b/rust/rustdoc/CVE-2018-1000622.md similarity index 97% rename from rust/rustdoc/CVE-2018-1000622.toml rename to rust/rustdoc/CVE-2018-1000622.md index 2b8f618e..f2aa132e 100644 --- a/rust/rustdoc/CVE-2018-1000622.toml +++ b/rust/rustdoc/CVE-2018-1000622.md @@ -1,12 +1,18 @@ +```toml [advisory] id = "CVE-2018-1000622" package = "rustdoc" -date = "2018-07-05" -title = "Uncontrolled search path element vulnerability in rustdoc plugins" categories = ["code-execution"] -url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/4ybxYLTtXuM" cvss = "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" -description = """ +date = "2018-07-05" +url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/4ybxYLTtXuM" + +[versions] +patched = ["> 1.27.0"] +``` + +# Uncontrolled search path element vulnerability in rustdoc plugins + Rustdoc, if not passed the `--plugin-path` argument, defaults to `/tmp/rustdoc/plugins`. `/tmp` is world-writable on many systems, and so an attacker could craft a malicious plugin, place it in that directory, and the @@ -93,7 +99,3 @@ feedback on the patch itself. You can find their bug at [5]. [3]: https://github.com/rust-lang/rust/commit/14f59e890207f3b7a70bcfffaea7ad8865604111 [4]: https://github.com/rust-lang/rust/commit/7b24efd6f333620ed2559d70b32da8f6f9957385 [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1597063 -""" - -[versions] -patched = ["> 1.27.0"] diff --git a/rust/std/CVE-2018-1000657.toml b/rust/std/CVE-2018-1000657.md similarity index 85% rename from rust/std/CVE-2018-1000657.toml rename to rust/std/CVE-2018-1000657.md index 4fef3a45..87c118e5 100644 --- a/rust/std/CVE-2018-1000657.toml +++ b/rust/std/CVE-2018-1000657.md @@ -1,15 +1,10 @@ +```toml [advisory] id = "CVE-2018-1000657" package = "std" -date = "2018-08-20" -title = "Buffer overflow vulnerability in VecDeque::reserve()" categories = ["code-execution", "denial-of-service"] +date = "2018-08-20" url = "https://github.com/rust-lang/rust/issues/44800" -description = """ -The `std::collections::vec_deque::VecDeque::reserve()` function contains a -buffer overflow vulnerability that can potentially result in arbitrary code -execution. -""" [affected.functions] "std::collections::vec_deque::VecDeque::reserve" = ["< 1.22.0, >= 1.3.0"] @@ -17,3 +12,10 @@ execution. [versions] patched = [">= 1.22.0"] unaffected = ["< 1.3.0"] +``` + +# Buffer overflow vulnerability in VecDeque::reserve() + +The `std::collections::vec_deque::VecDeque::reserve()` function contains a +buffer overflow vulnerability that can potentially result in arbitrary code +execution. diff --git a/rust/std/CVE-2018-1000810.toml b/rust/std/CVE-2018-1000810.md similarity index 97% rename from rust/std/CVE-2018-1000810.toml rename to rust/std/CVE-2018-1000810.md index 295efcb2..b3ecefa8 100644 --- a/rust/std/CVE-2018-1000810.toml +++ b/rust/std/CVE-2018-1000810.md @@ -1,12 +1,22 @@ +```toml [advisory] id = "CVE-2018-1000810" package = "std" -date = "2018-09-21" -title = "Buffer overflow vulnerability in str::repeat()" -url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0" categories = ["denial-of-service", "memory-corruption"] cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" -description = """ +date = "2018-09-21" +url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0" + +[affected.functions] +"std::str::repeat" = ["< 1.29.1, >= 1.26.0"] + +[versions] +patched = [">= 1.29.1"] +unaffected = ["< 1.26.0"] +``` + +# Buffer overflow vulnerability in str::repeat() + The Rust team was recently notified of a security vulnerability affecting the `str::repeat` function in the standard library. If your code does not use this function, it is not affected. @@ -93,11 +103,3 @@ accordance with our security policy https://www.rust-lang.org/security.html. [3]: https://github.com/rust-lang/rust/pull/54397 [4]: https://github.com/rust-lang/rust/pull/54398 [5]: https://github.com/rust-lang/rust/pull/54399 -""" - -[affected.functions] -"std::str::repeat" = ["< 1.29.1, >= 1.26.0"] - -[versions] -patched = [">= 1.29.1"] -unaffected = ["< 1.26.0"] diff --git a/rust/std/CVE-2019-12083.toml b/rust/std/CVE-2019-12083.md similarity index 97% rename from rust/std/CVE-2019-12083.toml rename to rust/std/CVE-2019-12083.md index da102963..a0c443bb 100644 --- a/rust/std/CVE-2019-12083.toml +++ b/rust/std/CVE-2019-12083.md @@ -1,11 +1,18 @@ +```toml [advisory] id = "CVE-2019-12083" package = "std" -date = "2019-05-13" -title = "Memory safety vulnerabilities arising from `Error::type_id`" categories = ["memory-corruption"] +date = "2019-05-13" url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/aZabeCMUv70" -description = """ + +[versions] +patched = ["> 1.34.1"] +unaffected = ["< 1.34.0"] +``` + +# Memory safety vulnerabilities arising from `Error::type_id` + The Rust team was recently notified of a security vulnerability affecting manual implementations of `Error::type_id` and their interaction with the `Error::downcast` family of functions in the standard library. If your code @@ -91,8 +98,3 @@ with our security policy https://www.rust-lang.org/policies/security. [3]: https://github.com/rust-lang/rust/pull/60785 [4]: https://github.com/rust-lang/rust/pull/60786 [5]: https://github.com/rust-lang/rust/pull/60787 -""" - -[versions] -patched = ["> 1.34.1"] -unaffected = ["< 1.34.0"]