Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2022-03-11 21:41:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.25692 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Fri Mar 11 21:41:13 2022 rev:20 rq:960956 version:20220311
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2022-02-15 23:57:35.604264393 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.25692/cargo-audit-advisory-db.changes
2022-03-11 21:41:26.078078361 +0100
@@ -1,0 +2,15 @@
+Fri Mar 11 03:15:25 UTC 2022 - [email protected]
+
+- Update to version 20220311:
+ * Assigned RUSTSEC-2022-0013 to regex (#1208)
+ * add cve-2022-24713 (#1207)
+ * mark RUSTSEC-2021-0019 fixed, add references (#1206)
+ * RUSTSEC-2021-0134: Remove recursive_reference from the list of
alternatives (#1200)
+ * Assigned RUSTSEC-2022-0012 to arrow2 (#1205)
+ * Added advisory for `arrow2::ffi::Ffi_ArrowArray` double free (#1204)
+ * Assigned RUSTSEC-2022-0011 to rust-crypto (#1202)
+ * `rust-crypto`: miscomputation when performing AES encryption (#1201)
+ * Update RUSTSEC-2020-0150.md (#1199)
+ * Assigned RUSTSEC-2022-0010 to enum-map (#1198)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20220215.tar.xz
New:
----
advisory-db-20220311.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.d0oliw/_old 2022-03-11 21:41:26.630078785 +0100
+++ /var/tmp/diff_new_pack.d0oliw/_new 2022-03-11 21:41:26.634078787 +0100
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20220215
+Version: 20220311
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.d0oliw/_old 2022-03-11 21:41:26.666078813 +0100
+++ /var/tmp/diff_new_pack.d0oliw/_new 2022-03-11 21:41:26.670078815 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20220215</param>
+ <param name="version">20220311</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20220215.tar.xz -> advisory-db-20220311.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220215/.duplicate-id-guard
new/advisory-db-20220311/.duplicate-id-guard
--- old/advisory-db-20220215/.duplicate-id-guard 2022-02-09
15:34:03.000000000 +0100
+++ new/advisory-db-20220311/.duplicate-id-guard 2022-03-08
16:14:30.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-5518448e55d2a585c2a6276dba5d12fb0afe464d10790643ed57c0a18c53a126 -
+f551fc85bdd3f40721d0af2ced95b014fb1dfca6b86634824e8ca8f7fc128cd2 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220215/crates/arrow2/RUSTSEC-2022-0012.md
new/advisory-db-20220311/crates/arrow2/RUSTSEC-2022-0012.md
--- old/advisory-db-20220215/crates/arrow2/RUSTSEC-2022-0012.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220311/crates/arrow2/RUSTSEC-2022-0012.md 2022-03-08
16:14:30.000000000 +0100
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0012"
+package = "arrow2"
+date = "2022-03-04"
+url = "https://github.com/jorgecarleitao/arrow2/issues/880";
+categories = ["memory-corruption"]
+
+[versions]
+patched = [">= 0.7.1, < 0.8", ">= 0.8.2, < 0.9", ">= 0.9.2, < 0.10"]
+```
+
+# Arrow2 allows double free in `safe` code
+
+The struct `Ffi_ArrowArray` implements `#derive(Clone)` that is inconsistent
with
+its custom implementation of `Drop`, resulting in a double free when cloned.
+
+Cloning this struct in `safe` results in a segmentation fault, which is
unsound.
+
+This derive was removed from this struct. All users are advised to either:
+* bump the patch version of this crate (for versions `v0.7,v0.8,v0.9`), or
+* migrate to a more recent version of the crate (when using `<0.7`).
+
+Doing so elimitates this vulnerability (code no longer compiles).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220215/crates/disrustor/RUSTSEC-2020-0150.md
new/advisory-db-20220311/crates/disrustor/RUSTSEC-2020-0150.md
--- old/advisory-db-20220215/crates/disrustor/RUSTSEC-2020-0150.md
2022-02-09 15:34:03.000000000 +0100
+++ new/advisory-db-20220311/crates/disrustor/RUSTSEC-2020-0150.md
2022-03-08 16:14:30.000000000 +0100
@@ -9,7 +9,7 @@
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
[versions]
-patched = []
+patched = [">= 0.3"]
```
# RingBuffer can create multiple mutable references and cause data races
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220215/crates/enum-map/RUSTSEC-2022-0010.md
new/advisory-db-20220311/crates/enum-map/RUSTSEC-2022-0010.md
--- old/advisory-db-20220215/crates/enum-map/RUSTSEC-2022-0010.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220311/crates/enum-map/RUSTSEC-2022-0010.md
2022-03-08 16:14:30.000000000 +0100
@@ -0,0 +1,56 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0010"
+package = "enum-map"
+date = "2022-02-17"
+url =
"https://gitlab.com/KonradBorowski/enum-map/-/blob/master/CHANGELOG.md#version-202";
+categories = ["code-execution", "memory-corruption", "memory-exposure"]
+informational = "unsound"
+
+[versions]
+patched = [">= 2.0.2"]
+unaffected = ["< 2.0.0-2"]
+```
+
+# enum_map macro can cause UB when `Enum` trait is incorrectly implemented
+
+Affected versions of this crate did not properly check the length of an enum
when using `enum_map!` macro, trusting user-provided length.
+
+When the `LENGTH` in the `Enum` trait does not match the array length in the
`EnumArray` trait, this can result in the initialization of the enum map with
uninitialized types, which in turn can allow an attacker to execute arbitrary
code.
+
+This problem can only occur with a manual implementation of the Enum trait, it
will never occur for enums that use `#[derive(Enum)]`.
+
+Example code that triggers this vulnerability looks like this:
+
+```rust
+enum E {
+ A,
+ B,
+ C,
+}
+
+impl Enum for E {
+ const LENGTH: usize = 2;
+
+ fn from_usize(value: usize) -> E {
+ match value {
+ 0 => E::A,
+ 1 => E::B,
+ 2 => E::C,
+ _ => unimplemented!(),
+ }
+ }
+
+ fn into_usize(self) -> usize {
+ self as usize
+ }
+}
+
+impl<V> EnumArray<V> for E {
+ type Array = [V; 3];
+}
+
+let _map: EnumMap<E, String> = enum_map! { _ => "Hello, world!".into() };
+```
+
+The flaw was corrected in commit
[b824e23](https://gitlab.com/KonradBorowski/enum-map/-/commit/b824e232f2fb47837740070096ac253df8e80dfc)
by putting `LENGTH` property on sealed trait for macro to read.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220215/crates/regex/RUSTSEC-2022-0013.md
new/advisory-db-20220311/crates/regex/RUSTSEC-2022-0013.md
--- old/advisory-db-20220215/crates/regex/RUSTSEC-2022-0013.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20220311/crates/regex/RUSTSEC-2022-0013.md 2022-03-08
16:14:30.000000000 +0100
@@ -0,0 +1,65 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0013"
+package = "regex"
+date = "2022-03-08"
+url =
"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw";
+categories = ["denial-of-service"]
+aliases = ["CVE-2022-24713"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 1.5.5"]
+```
+
+# Regexes with large repetitions on empty sub-expressions take a very long
time to parse
+
+The Rust Security Response WG was notified that the `regex` crate did not
+properly limit the complexity of the regular expressions (regex) it parses. An
+attacker could use this security issue to perform a denial of service, by
+sending a specially crafted regex to a service accepting untrusted regexes. No
+known vulnerability is present when parsing untrusted input with trusted
+regexes.
+
+This issue has been assigned CVE-2022-24713. The severity of this vulnerability
+is "high" when the `regex` crate is used to parse untrusted regexes. Other uses
+of the `regex` crate are not affected by this vulnerability.
+
+## Overview
+
+The `regex` crate features built-in mitigations to prevent denial of service
+attacks caused by untrusted regexes, or untrusted input matched by trusted
+regexes. Those (tunable) mitigations already provide sane defaults to prevent
+attacks. This guarantee is documented and it's considered part of the crate's
+API.
+
+Unfortunately a bug was discovered in the mitigations designed to prevent
+untrusted regexes to take an arbitrary amount of time during parsing, and it's
+possible to craft regexes that bypass such mitigations. This makes it possible
+to perform denial of service attacks by sending specially crafted regexes to
+services accepting user-controlled, untrusted regexes.
+
+## Affected versions
+
+All versions of the `regex` crate before or equal to 1.5.4 are affected by this
+issue. The fix is include starting from `regex` 1.5.5.
+
+## Mitigations
+
+We recommend everyone accepting user-controlled regexes to upgrade immediately
+to the latest version of the `regex` crate.
+
+Unfortunately there is no fixed set of problematic regexes, as there are
+practically infinite regexes that could be crafted to exploit this
+vulnerability. Because of this, we do not recommend denying known problematic
+regexes.
+
+## Acknowledgements
+
+We want to thank Addison Crump for responsibly disclosing this to us according
+to the [Rust security policy][1], and for helping review the fix.
+
+We also want to thank Andrew Gallant for developing the fix, and Pietro Albini
+for coordinating the disclosure and writing this advisory.
+
+[1]: https://www.rust-lang.org/policies/security
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220215/crates/rental/RUSTSEC-2021-0134.md
new/advisory-db-20220311/crates/rental/RUSTSEC-2021-0134.md
--- old/advisory-db-20220215/crates/rental/RUSTSEC-2021-0134.md 2022-02-09
15:34:03.000000000 +0100
+++ new/advisory-db-20220311/crates/rental/RUSTSEC-2021-0134.md 2022-03-08
16:14:30.000000000 +0100
@@ -17,6 +17,5 @@
Maintained alternatives include:
* [`ouroboros`](https://crates.io/crates/ouroboros)
-* [`recursive_reference`](https://crates.io/crates/recursive_reference)
* [`fortify`](https://crates.io/crates/fortify)
* [`escher`](https://crates.io/crates/escher)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20220215/crates/rust-crypto/RUSTSEC-2022-0011.md
new/advisory-db-20220311/crates/rust-crypto/RUSTSEC-2022-0011.md
--- old/advisory-db-20220215/crates/rust-crypto/RUSTSEC-2022-0011.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20220311/crates/rust-crypto/RUSTSEC-2022-0011.md
2022-03-08 16:14:30.000000000 +0100
@@ -0,0 +1,132 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0011"
+
+package = "rust-crypto"
+
+date = "2022-02-28"
+
+categories = ["crypto-failure"]
+
+keywords = ["aesni"]
+
+[versions]
+patched = []
+```
+
+# Miscomputation when performing AES encryption in rust-crypto
+
+The following Rust program demonstrates some strangeness in AES encryption -
if you have an immutable key slice and then operate on that slice, you get
different encryption output than if you operate on a copy of that key.
+
+For these functions, we expect that extending a 16 byte key to a 32 byte key
by repeating it gives the same encrypted data, because the underlying
rust-crypto functions repeat key data up to the necessary key size for the
cipher.
+
+```rust
+use crypto::{
+ aes, blockmodes, buffer,
+ buffer::{BufferResult, ReadBuffer, WriteBuffer},
+ symmetriccipher,
+};
+
+fn encrypt(
+ key: &[u8],
+ iv: &[u8],
+ data: &str,
+) -> Result<String, symmetriccipher::SymmetricCipherError> {
+ let mut encryptor =
+ aes::cbc_encryptor(aes::KeySize::KeySize256, key, iv,
blockmodes::PkcsPadding);
+
+ let mut encrypted_data = Vec::<u8>::new();
+ let mut read_buffer = buffer::RefReadBuffer::new(data.as_bytes());
+ let mut buffer = [0; 4096];
+ let mut write_buffer = buffer::RefWriteBuffer::new(&mut buffer);
+
+ loop {
+ let result = encryptor.encrypt(&mut read_buffer, &mut write_buffer,
true)?;
+
+ encrypted_data.extend(
+ write_buffer
+ .take_read_buffer()
+ .take_remaining()
+ .iter()
+ .copied(),
+ );
+
+ match result {
+ BufferResult::BufferUnderflow => break,
+ BufferResult::BufferOverflow => {}
+ }
+ }
+
+ Ok(hex::encode(encrypted_data))
+}
+
+fn working() {
+ let data = "data";
+ let iv = [
+ 0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7, 0xF8, 0xF9, 0xFA,
0xFB, 0xFC, 0xFD, 0xFE,
+ 0xFF,
+ ];
+ let key = [
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
0x0B, 0x0C, 0x0D, 0x0E,
+ 0x0F,
+ ];
+ // The copy here makes the code work.
+ let key_copy = key;
+ let key2: Vec<u8> = key_copy.iter().cycle().take(32).copied().collect();
+ println!("key1:{} key2: {}", hex::encode(&key), hex::encode(&key2));
+
+ let x1 = encrypt(&key, &iv, data).unwrap();
+ println!("X1: {}", x1);
+
+ let x2 = encrypt(&key2, &iv, data).unwrap();
+ println!("X2: {}", x2);
+
+ assert_eq!(x1, x2);
+}
+
+fn broken() {
+ let data = "data";
+ let iv = [
+ 0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7, 0xF8, 0xF9, 0xFA,
0xFB, 0xFC, 0xFD, 0xFE,
+ 0xFF,
+ ];
+ let key = [
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
0x0B, 0x0C, 0x0D, 0x0E,
+ 0x0F,
+ ];
+ // This operation shouldn't affect the contents of key at all.
+ let key2: Vec<u8> = key.iter().cycle().take(32).copied().collect();
+ println!("key1:{} key2: {}", hex::encode(&key), hex::encode(&key2));
+
+ let x1 = encrypt(&key, &iv, data).unwrap();
+ println!("X1: {}", x1);
+
+ let x2 = encrypt(&key2, &iv, data).unwrap();
+ println!("X2: {}", x2);
+
+ assert_eq!(x1, x2);
+}
+
+fn main() {
+ working();
+ broken();
+}
+```
+
+The output from this program:
+
+```shell
+ Running `target/host/debug/rust-crypto-test`
+key1:000102030405060708090a0b0c0d0e0f key2:
000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f
+X1: 90462bbe32965c8e7ea0addbbed4cddb
+X2: 90462bbe32965c8e7ea0addbbed4cddb
+key1:000102030405060708090a0b0c0d0e0f key2:
000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f
+X1: 26e847e5e7df1947bf82a650548a7d5b
+X2: 90462bbe32965c8e7ea0addbbed4cddb
+thread 'main' panicked at 'assertion failed: `(left == right)`
+ left: `"26e847e5e7df1947bf82a650548a7d5b"`,
+ right: `"90462bbe32965c8e7ea0addbbed4cddb"`', src/main.rs:83:5
+```
+
+Notably, the X1 key in the `broken()` test changes every time after rerunning
the program.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20220215/crates/xcb/RUSTSEC-2021-0019.md
new/advisory-db-20220311/crates/xcb/RUSTSEC-2021-0019.md
--- old/advisory-db-20220215/crates/xcb/RUSTSEC-2021-0019.md 2022-02-09
15:34:03.000000000 +0100
+++ new/advisory-db-20220311/crates/xcb/RUSTSEC-2021-0019.md 2022-03-08
16:14:30.000000000 +0100
@@ -10,10 +10,11 @@
]
date = "2021-02-04"
url = "https://github.com/RustSec/advisory-db/issues/653";
+references = ["https://github.com/rust-x-bindings/rust-xcb/issues/78";,
"https://github.com/rust-x-bindings/rust-xcb/issues/94";,
"https://github.com/rust-x-bindings/rust-xcb/issues/95";,
"https://github.com/rust-x-bindings/rust-xcb/issues/96";]
categories = ["memory-corruption", "memory-exposure"]
[versions]
-patched = []
+patched = [">= 1.0"]
```
# Multiple soundness issues
@@ -26,7 +27,7 @@
null bytes, but otherwise allows any X11 client to create an atom for arbitrary
bytes.
-This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/96
+This issue is tracked here:
https://github.com/rust-x-bindings/rust-xcb/issues/96
## `xcb::xproto::GetPropertyReply::value()` allows arbitrary return types
@@ -37,7 +38,7 @@
The users of the `xcb` crate are advised to only call this function with the
intended types. These are `u8`, `u16`, and `u32`.
-This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/95
+This issue is tracked here:
https://github.com/rust-x-bindings/rust-xcb/issues/95
## Out of bounds read in `xcb::xproto::change_property()`
@@ -53,7 +54,7 @@
The users of the `xcb` crate are advised to only call this function with one of
the intended argument combinations.
-This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/94
+This issue is tracked here:
https://github.com/rust-x-bindings/rust-xcb/issues/94
## 'Safe' wrapper around `std::mem::transmute()`
@@ -69,4 +70,4 @@
Users are advised to only cast to the event structs provided by the `xcb` crate
(and hope for the best).
-This issue is tracked here: https://github.com/rtbo/rust-xcb/issues/78
+This issue is tracked here:
https://github.com/rust-x-bindings/rust-xcb/issues/78
