Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2021-06-22 20:45:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.2625 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Tue Jun 22 20:45:02 2021 rev:7 rq:901270 version:20210619
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2021-06-01 10:41:31.573228237 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.2625/cargo-audit-advisory-db.changes
2021-06-22 20:45:11.238839499 +0200
@@ -1,0 +2,15 @@
+Sat Jun 19 06:27:26 UTC 2021 - [email protected]
+
+- Update to version 20210619:
+ * Update RUSTSEC-2021-0049.md (#941)
+ * Assigned RUSTSEC-2021-0071 to grep-cli (#940)
+ * crates/grep-cli: add advisory for arbitrary binary execution on Windows
(#939)
+ * Add GHSA mentions to `aliases` field. This is becoming more important with
OSV enabling interop between databases (#937)
+ * Update RUSTSEC-2020-0043.md (#934)
+ * Assigned RUSTSEC-2021-0070 to nalgebra (#932)
+ * Add advisory for nalgebra VecStorage/MatrixVec (#931)
+ * Remove range overlaps, fix some range specifications (#930)
+ * Make ranges in trust-dns-proto advisory non-overlapping (#929)
+ * Assigned RUSTSEC-2021-0069 to lettre (#925)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20210601.tar.xz
New:
----
advisory-db-20210619.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.1gUMVl/_old 2021-06-22 20:45:11.762840076 +0200
+++ /var/tmp/diff_new_pack.1gUMVl/_new 2021-06-22 20:45:11.766840080 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20210601
+Version: 20210619
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.1gUMVl/_old 2021-06-22 20:45:11.798840115 +0200
+++ /var/tmp/diff_new_pack.1gUMVl/_new 2021-06-22 20:45:11.802840119 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20210601</param>
+ <param name="version">20210619</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20210601.tar.xz -> advisory-db-20210619.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210601/.duplicate-id-guard
new/advisory-db-20210619/.duplicate-id-guard
--- old/advisory-db-20210601/.duplicate-id-guard 2021-05-22
20:13:18.000000000 +0200
+++ new/advisory-db-20210619/.duplicate-id-guard 2021-06-16
23:05:39.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-ff091e2402596ebe5667596b7b07f686f263921249d154a8b98e063059c521aa -
+9ae15a1aa0407b9b02ec7b965943ec1541f88b9dcd54e9ba0d27a85a7cad4811 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/arc-swap/RUSTSEC-2020-0091.md
new/advisory-db-20210619/crates/arc-swap/RUSTSEC-2020-0091.md
--- old/advisory-db-20210601/crates/arc-swap/RUSTSEC-2020-0091.md
2021-05-22 20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/arc-swap/RUSTSEC-2020-0091.md
2021-06-16 23:05:39.000000000 +0200
@@ -9,7 +9,7 @@
aliases = ["CVE-2020-35711"]
[versions]
-patched = [">= 1.1.0", ">= 0.4.8"]
+patched = [">= 0.4.8, < 1.0.0-0", ">= 1.1.0"]
unaffected = ["< 0.4.2"]
[affected]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/claxon/RUSTSEC-2018-0004.md
new/advisory-db-20210619/crates/claxon/RUSTSEC-2018-0004.md
--- old/advisory-db-20210601/crates/claxon/RUSTSEC-2018-0004.md 2021-05-22
20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/claxon/RUSTSEC-2018-0004.md 2021-06-16
23:05:39.000000000 +0200
@@ -8,7 +8,7 @@
url =
"https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c";
[versions]
-patched = ["=0.3.2", ">= 0.4.1"]
+patched = ["^0.3.2", ">= 0.4.1"]
```
# Malicious input could cause uninitialized memory to be exposed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/cranelift-codegen/RUSTSEC-2021-0067.md
new/advisory-db-20210619/crates/cranelift-codegen/RUSTSEC-2021-0067.md
--- old/advisory-db-20210601/crates/cranelift-codegen/RUSTSEC-2021-0067.md
2021-05-22 20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/cranelift-codegen/RUSTSEC-2021-0067.md
2021-06-16 23:05:39.000000000 +0200
@@ -6,10 +6,10 @@
url =
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5";
categories = ["code-execution", "memory-corruption", "memory-exposure"]
keywords = ["miscompile", "sandbox", "wasm"]
-aliases = ["CVE-2021-32629"]
+aliases = ["CVE-2021-32629", "GHSA-hpqh-2wqx-7qp5"]
[versions]
-patched = [">= 0.73.1", ">= 0.74"]
+patched = [">= 0.73.1"]
[affected]
arch = ["x86"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/grep-cli/RUSTSEC-2021-0071.md
new/advisory-db-20210619/crates/grep-cli/RUSTSEC-2021-0071.md
--- old/advisory-db-20210601/crates/grep-cli/RUSTSEC-2021-0071.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210619/crates/grep-cli/RUSTSEC-2021-0071.md
2021-06-16 23:05:39.000000000 +0200
@@ -0,0 +1,57 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0071"
+package = "grep-cli"
+date = "2021-06-12"
+url = "https://github.com/BurntSushi/ripgrep/issues/1773";
+categories = ["code-execution"]
+keywords = ["windows", "ripgrep", "PATH", "arbitrary", "binary"]
+aliases = ["CVE-2021-3013"]
+
+[versions]
+patched = [">= 0.1.6"]
+unaffected = []
+
+[affected]
+os = ["windows"]
+functions = { "grep_cli::DecompressionReader::new" = ["< 0.1.6"] }
+```
+
+# `grep-cli` may run arbitrary executables on Windows
+
+On Windows in versions of `grep-cli` prior to `0.1.6`, it's possible for some
+of the routines to execute arbitrary executables. In particular, a quirk of
+the Windows process execution API is that it will automatically consider the
+current directory before other directories when resolving relative binary
+names. Therefore, if you use `grep-cli` to read decompressed files in an
+untrusted directory with that directory as the CWD, a malicious actor to could
+put, e.g., a `gz.exe` binary in that directory and `grep-cli` will use the
+malicious actor's version of `gz.exe` instead of the system's.
+
+This is also technically possible on Unix as well, but only if the `PATH`
+variable contains `.`. Conventionally, they do not.
+
+A `DecompressionReader` has been fixed to automatically resolve binary names
+using `PATH`, instead of relying on the Windows API to do it.
+
+If you use `grep-cli`'s `CommandReader` with a `std::process::Command` value
+on Windows, then it is recommended to either construct the `Command` with an
+absolute binary name, or use `grep-cli`'s new
+[`resolve_binary`](https://docs.rs/grep-cli/0.1.6/grep_cli/fn.resolve_binary.html)
+helper function.
+
+To be clear, `grep-cli 0.1.6` mitigates this issue in two ways:
+
+* A `DecompressionReader` will resolve decompression programs to absolute
+paths automatically using the `PATH` environment variable, instead of relying
+on Windows APIs to do it (which would result in the undesirable behavior of
+checking the CWD for a program first).
+* A new function, `resolve_binary`, was added to help users of this crate
+mitigate this behavior when they need to create their own
+`std::process::Command`. For example,
+[ripgrep uses
`grep_cli::resolve_binary`](https://github.com/BurntSushi/ripgrep/blob/7ce66f73cf7e76e9f2557922ac8e650eb02cf4ed/crates/core/search.rs#L119-L122)
+on the argument given to its `--pre` flag.
+
+While the first mitigation fixes this issue for sensible values of `PATH`
+when doing decompression search, the second mitigation is imperfect. The more
+fundamental issue is that `std::process::Command` is itself vulnerable to this.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/hyper/RUSTSEC-2021-0020.md
new/advisory-db-20210619/crates/hyper/RUSTSEC-2021-0020.md
--- old/advisory-db-20210601/crates/hyper/RUSTSEC-2021-0020.md 2021-05-22
20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/hyper/RUSTSEC-2021-0020.md 2021-06-16
23:05:39.000000000 +0200
@@ -6,7 +6,7 @@
url =
"https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf";
categories = ["format-injection"]
keywords = ["http", "request-smuggling"]
-aliases = ["CVE-2021-21299"]
+aliases = ["CVE-2021-21299", "GHSA-6hfq-h8hq-87mf"]
[versions]
patched = [">= 0.14.3", "0.13.10", "0.12.36"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/libpulse-binding/RUSTSEC-2018-0020.md
new/advisory-db-20210619/crates/libpulse-binding/RUSTSEC-2018-0020.md
--- old/advisory-db-20210601/crates/libpulse-binding/RUSTSEC-2018-0020.md
2021-05-22 20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/libpulse-binding/RUSTSEC-2018-0020.md
2021-06-16 23:05:39.000000000 +0200
@@ -5,6 +5,7 @@
date = "2018-12-22"
url =
"https://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-f56g-chqp-22m9";
categories = ["memory-corruption"]
+aliases = ["GHSA-f56g-chqp-22m9"]
[versions]
patched = [">= 2.5.0"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/libpulse-binding/RUSTSEC-2018-0021.md
new/advisory-db-20210619/crates/libpulse-binding/RUSTSEC-2018-0021.md
--- old/advisory-db-20210601/crates/libpulse-binding/RUSTSEC-2018-0021.md
2021-05-22 20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/libpulse-binding/RUSTSEC-2018-0021.md
2021-06-16 23:05:39.000000000 +0200
@@ -5,6 +5,7 @@
date = "2018-06-15"
url =
"https://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-ghpq-vjxw-ch5w";
categories = ["memory-corruption"]
+aliases = ["GHSA-ghpq-vjxw-ch5w"]
[versions]
patched = [">= 1.2.1"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/miow/RUSTSEC-2020-0080.md
new/advisory-db-20210619/crates/miow/RUSTSEC-2020-0080.md
--- old/advisory-db-20210601/crates/miow/RUSTSEC-2020-0080.md 2021-05-22
20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/miow/RUSTSEC-2020-0080.md 2021-06-16
23:05:39.000000000 +0200
@@ -9,7 +9,7 @@
informational = "unsound"
[versions]
-patched = [">= 0.2.2", ">= 0.3.6"]
+patched = ["^ 0.2.2", ">= 0.3.6"]
```
# `miow` invalidly assumes the memory layout of std::net::SocketAddr
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/nalgebra/RUSTSEC-2021-0070.md
new/advisory-db-20210619/crates/nalgebra/RUSTSEC-2021-0070.md
--- old/advisory-db-20210601/crates/nalgebra/RUSTSEC-2021-0070.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210619/crates/nalgebra/RUSTSEC-2021-0070.md
2021-06-16 23:05:39.000000000 +0200
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0070"
+package = "nalgebra"
+date = "2021-06-06"
+url = "https://github.com/dimforge/nalgebra/issues/883";
+categories = ["memory-corruption", "memory-exposure"]
+keywords = ["memory-safety"]
+
+[versions]
+patched = [">= 0.27.1"]
+unaffected = ["< 0.11.0"]
+```
+
+# VecStorage Deserialize Allows Violation of Length Invariant
+
+The `Deserialize` implementation for `VecStorage` did not maintain the
invariant that the number of elements must equal `nrows * ncols`.
Deserialization of specially crafted inputs could allow memory access beyond
allocation of the vector.
+
+This flaw was introduced in v0.11.0
([`086e6e`](https://github.com/dimforge/nalgebra/commit/086e6e719f53fecba6dadad2e953a487976387f5))
due to the addition of an automatically derived implementation of
`Deserialize` for `MatrixVec`. `MatrixVec` was later renamed to `VecStorage` in
v0.16.13
([`0f66403`](https://github.com/dimforge/nalgebra/commit/0f66403cbbe9eeac15cedd8a906c0d6a3d8841f2))
and continued to use the automatically derived implementation of `Deserialize`.
+
+This flaw was corrected in commit
[`5bff536`](https://github.com/dimforge/nalgebra/commit/5bff5368bf38ddfa31416e4ae9897b163031a513)
by returning an error during deserialization if the number of elements does
not exactly match the expected size.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/rand_core/RUSTSEC-2019-0035.md
new/advisory-db-20210619/crates/rand_core/RUSTSEC-2019-0035.md
--- old/advisory-db-20210601/crates/rand_core/RUSTSEC-2019-0035.md
2021-05-22 20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/rand_core/RUSTSEC-2019-0035.md
2021-06-16 23:05:39.000000000 +0200
@@ -12,7 +12,7 @@
"rand_core::BlockRng::next_u64" = ["< 0.4.2"]
[versions]
-patched = [">= 0.3.1", ">= 0.4.2"]
+patched = ["^ 0.3.1", ">= 0.4.2"]
```
# Unaligned memory access
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/through/RUSTSEC-2021-0049.md
new/advisory-db-20210619/crates/through/RUSTSEC-2021-0049.md
--- old/advisory-db-20210601/crates/through/RUSTSEC-2021-0049.md
2021-05-22 20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/through/RUSTSEC-2021-0049.md
2021-06-16 23:05:39.000000000 +0200
@@ -2,7 +2,7 @@
[advisory]
id = "RUSTSEC-2021-0049"
package = "through"
-aliases = ["CVE-2021-299340"]
+aliases = ["CVE-2021-29940"]
date = "2021-02-18"
url = "https://github.com/gretchenfrage/through/issues/1";
categories = ["memory-corruption"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210601/crates/trust-dns-proto/RUSTSEC-2018-0007.md
new/advisory-db-20210619/crates/trust-dns-proto/RUSTSEC-2018-0007.md
--- old/advisory-db-20210601/crates/trust-dns-proto/RUSTSEC-2018-0007.md
2021-05-22 20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/trust-dns-proto/RUSTSEC-2018-0007.md
2021-06-16 23:05:39.000000000 +0200
@@ -7,7 +7,7 @@
keywords = ["stack-overflow", "crash"]
[versions]
-patched = [">= 0.4.3", ">= 0.5.0-alpha.3"]
+patched = [">= 0.4.3"]
```
# Stack overflow when parsing malicious DNS packet
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210601/crates/ws/RUSTSEC-2020-0043.md
new/advisory-db-20210619/crates/ws/RUSTSEC-2020-0043.md
--- old/advisory-db-20210601/crates/ws/RUSTSEC-2020-0043.md 2021-05-22
20:13:18.000000000 +0200
+++ new/advisory-db-20210619/crates/ws/RUSTSEC-2020-0043.md 2021-06-16
23:05:39.000000000 +0200
@@ -18,4 +18,4 @@
This allows a remote attacker to take down the process by growing the buffer
of their (single) connection until the process runs out of memory it can
allocate and is killed.
-The flaw was corrected in the [`parity-ws`
fork](https://crates.io/crates/parity-ws) (>0.10.0) by [disconnecting a client
when the buffer runs full](https://github.com/housleyjk/ws-rs/pull/328).
+The flaw was corrected in the [`parity-ws`
fork](https://crates.io/crates/parity-ws) (>=0.10.0) by [disconnecting a client
when the buffer runs full](https://github.com/housleyjk/ws-rs/pull/328).
