Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2023-01-18 13:12:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Wed Jan 18 13:12:20 2023 rev:28 rq:1059180 version:20230117
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2022-11-02 12:47:59.597827453 +0100
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.32243/cargo-audit-advisory-db.changes
2023-01-18 13:12:26.241242178 +0100
@@ -1,0 +2,15 @@
+Tue Jan 17 03:29:22 UTC 2023 - [email protected]
+
+- Update to version 20230117:
+ * Assigned RUSTSEC-2022-0080 to parity-util-mem (#1530)
+ * Add parity-util-mem unmaintained (#1528)
+ * Assigned RUSTSEC-2021-0146 to twoway (#1529)
+ * Add unmaintained `twoway` (#1435)
+ * Assigned RUSTSEC-2022-0079 to elf_rs (#1527)
+ * Add advisory for elf_rs crate (#1450)
+ * Update RUSTSEC-2021-0088.md (#1512)
+ * Assigned RUSTSEC-2022-0078 to bumpalo (#1526)
+ * Add advisory for bumpalo Vec iterator unsoundness (#1525)
+ * Assigned RUSTSEC-2022-0077 to claim (#1523)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20221102.tar.xz
New:
----
advisory-db-20230117.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.sYRxQp/_old 2023-01-18 13:12:26.689243873 +0100
+++ /var/tmp/diff_new_pack.sYRxQp/_new 2023-01-18 13:12:26.697243904 +0100
@@ -1,7 +1,7 @@
#
# spec file for package cargo-audit-advisory-db
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20221102
+Version: 20230117
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.sYRxQp/_old 2023-01-18 13:12:26.725244010 +0100
+++ /var/tmp/diff_new_pack.sYRxQp/_new 2023-01-18 13:12:26.729244025 +0100
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20221102</param>
+ <param name="version">20230117</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">[email protected]</param>
++++++ advisory-db-20221102.tar.xz -> advisory-db-20230117.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20221102/.duplicate-id-guard
new/advisory-db-20230117/.duplicate-id-guard
--- old/advisory-db-20221102/.duplicate-id-guard 2022-11-01
18:11:10.000000000 +0100
+++ new/advisory-db-20230117/.duplicate-id-guard 2023-01-16
10:26:23.000000000 +0100
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-1550808dc193737c18ba8ca656a087512d904f1a8bd8b64a7a37195f0c887eae -
+47ac6576d0eaab6436fdc15b1625f5018bac1fdd0cc2add55d0c7b4f9e922ff1 -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/.github/workflows/assign-ids.yml
new/advisory-db-20230117/.github/workflows/assign-ids.yml
--- old/advisory-db-20221102/.github/workflows/assign-ids.yml 2022-11-01
18:11:10.000000000 +0100
+++ new/advisory-db-20230117/.github/workflows/assign-ids.yml 2023-01-16
10:26:23.000000000 +0100
@@ -15,19 +15,19 @@
uses: actions/cache@v3
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.7.0
+ key: rustsec-admin-v0.8.5
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.7.0
+ cargo install rustsec-admin --vers 0.8.5
fi
- name: Assign IDs
id: assign
run: |
message=$(rustsec-admin assign-id --github-actions-output)
- echo "::set-output name=commit_message::${message}"
+ echo "commit_message=${message}" >> $GITHUB_OUTPUT
- name: Create duplicate ID assignment guard
run: |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/.github/workflows/export-osv.yml
new/advisory-db-20230117/.github/workflows/export-osv.yml
--- old/advisory-db-20221102/.github/workflows/export-osv.yml 2022-11-01
18:11:10.000000000 +0100
+++ new/advisory-db-20230117/.github/workflows/export-osv.yml 2023-01-16
10:26:23.000000000 +0100
@@ -14,10 +14,10 @@
- uses: actions/cache@v3
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.7.0
+ key: rustsec-admin-v0.8.5
- run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.7.0
+ cargo install rustsec-admin --vers 0.8.5
fi
mkdir -p crates
rustsec-admin osv crates
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/.github/workflows/publish-web.yml
new/advisory-db-20230117/.github/workflows/publish-web.yml
--- old/advisory-db-20221102/.github/workflows/publish-web.yml 2022-11-01
18:11:10.000000000 +0100
+++ new/advisory-db-20230117/.github/workflows/publish-web.yml 2023-01-16
10:26:23.000000000 +0100
@@ -14,10 +14,10 @@
- uses: actions/cache@v3
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.8.2
+ key: rustsec-admin-v0.8.5
- run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.8.2
+ cargo install rustsec-admin --vers 0.8.5
fi
rustsec-admin web .
git config user.name github-actions
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20221102/.github/workflows/validate.yml
new/advisory-db-20230117/.github/workflows/validate.yml
--- old/advisory-db-20221102/.github/workflows/validate.yml 2022-11-01
18:11:10.000000000 +0100
+++ new/advisory-db-20230117/.github/workflows/validate.yml 2023-01-16
10:26:23.000000000 +0100
@@ -16,12 +16,12 @@
uses: actions/cache@v3
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.8.1p
+ key: rustsec-admin-v0.8.5
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.8.1
+ cargo install rustsec-admin --vers 0.8.5
fi
- name: Lint advisories
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20221102/CODE_OF_CONDUCT.md
new/advisory-db-20230117/CODE_OF_CONDUCT.md
--- old/advisory-db-20221102/CODE_OF_CONDUCT.md 2022-11-01 18:11:10.000000000
+0100
+++ new/advisory-db-20230117/CODE_OF_CONDUCT.md 2023-01-16 10:26:23.000000000
+0100
@@ -1,74 +1,5 @@
-# Contributor Covenant Code of Conduct
+# Code of Conduct
-## Our Pledge
+People participating in the project are expected to abide by the [Rust Code of
Conduct](https://www.rust-lang.org/policies/code-of-conduct).
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age,
body
-size, disability, ethnicity, gender identity and expression, level of
experience,
-nationality, personal appearance, race, religion, or sexual identity and
-orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment
-include:
-
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery and unwelcome sexual attention or
-advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
- address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
- professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an
appointed
-representative at an online or offline event. Representation of a project may
be
-further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [email protected]. All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. The project team is
-obligated to maintain confidentiality with regard to the reporter of an
incident.
-Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 1.4,
-available at [http://contributor-covenant.org/version/1/4][version]
-
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+If you feel you have been or are being harassed or made uncomfortable by a
community member, please contact any of the [Rust Moderation
Team]([email protected]) immediately. Whether you are a regular
contributor or a newcomer, we care about making the community a safe space for
you.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20221102/LICENSE.txt
new/advisory-db-20230117/LICENSE.txt
--- old/advisory-db-20221102/LICENSE.txt 2022-11-01 18:11:10.000000000
+0100
+++ new/advisory-db-20230117/LICENSE.txt 2023-01-16 10:26:23.000000000
+0100
@@ -9,3 +9,11 @@
You can copy, modify, distribute, and retransmit any information in this
repository, even for commercial purposes, without asking permission.
+
+Additional content from GitHub Security Advisory ("GHSA") database
+
+Additional content may be adapted from GHSA with attribution requirements, but
+with no additional clauses like copyleft.
+
+Any such license and attribution will be explicitly covered on an advisory by
+advisory basis directly within the applicable advisories.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/alloc-cortex-m/RUSTSEC-2022-0073.md
new/advisory-db-20230117/crates/alloc-cortex-m/RUSTSEC-2022-0073.md
--- old/advisory-db-20221102/crates/alloc-cortex-m/RUSTSEC-2022-0073.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/alloc-cortex-m/RUSTSEC-2022-0073.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0073"
+package = "alloc-cortex-m"
+date = "2022-12-21"
+informational = "unmaintained"
+url = "https://github.com/rust-embedded/embedded-alloc/pull/56";
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# crate has been renamed to `embedded-alloc`
+
+This crate has been renamed from `alloc-cortex-m` to `embedded-alloc`.
+
+The new repository location is:
+
+<https://github.com/rust-embedded/embedded-alloc>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/atty/RUSTSEC-2021-0145.md
new/advisory-db-20230117/crates/atty/RUSTSEC-2021-0145.md
--- old/advisory-db-20221102/crates/atty/RUSTSEC-2021-0145.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/atty/RUSTSEC-2021-0145.md 2023-01-16
10:26:23.000000000 +0100
@@ -0,0 +1,37 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0145"
+package = "atty"
+date = "2021-07-04"
+url = "https://github.com/softprops/atty/issues/50";
+references = ["https://github.com/softprops/atty/pull/51";,
"https://github.com/softprops/atty/issues/57";]
+keywords = ["unaligned-read"]
+informational = "unsound"
+
+[affected]
+os = ["windows"]
+
+[versions]
+patched = []
+```
+
+# Potential unaligned read
+
+On windows, `atty` dereferences a potentially unaligned pointer.
+
+In practice however, the pointer won't be unaligned unless a custom global
allocator is used.
+
+In particular, the `System` allocator on windows uses `HeapAlloc`, which
guarantees a large enough alignment.
+
+# atty is Unmaintained
+
+A Pull Request with a fix has been provided over a year ago but the maintainer
seems to be unreachable.
+
+Last release of `atty` was almost 3 years ago.
+
+## Possible Alternative(s)
+
+The below list has not been vetted in any way and may or may not contain
alternatives;
+
+ - [is-terminal](https://crates.io/crates/is-terminal)
+ - std::io::IsTerminal *nightly-only experimental*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/bumpalo/RUSTSEC-2022-0078.md
new/advisory-db-20230117/crates/bumpalo/RUSTSEC-2022-0078.md
--- old/advisory-db-20221102/crates/bumpalo/RUSTSEC-2022-0078.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/bumpalo/RUSTSEC-2022-0078.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,53 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0078"
+package = "bumpalo"
+date = "2022-01-14"
+url = "https://github.com/fitzgen/bumpalo/blob/main/CHANGELOG.md#3111";
+categories = ["memory-corruption", "memory-exposure"]
+keywords = ["use-after-free"]
+informational = "unsound"
+
+[versions]
+patched = [">= 3.11.1"]
+unaffected = ["< 1.1.0"]
+
+[affected.functions]
+"bumpalo::collections::vec::Vec::into_iter" = ["< 3.11.1"]
+```
+
+# Use-after-free due to a lifetime error in `Vec::into_iter()`
+
+In affected versions of this crate, the lifetime of the iterator produced by
+`Vec::into_iter()` is not constrained to the lifetime of the `Bump` that
+allocated the vector's memory. Using the iterator after the `Bump` is dropped
+causes use-after-free accesses.
+
+The following example demonstrates memory corruption arising from a misuse of
+this unsoundness.
+
+```rust
+use bumpalo::{collections::Vec, Bump};
+
+fn main() {
+ let bump = Bump::new();
+ let mut vec = Vec::new_in(&bump);
+ vec.extend([0x01u8; 32]);
+ let into_iter = vec.into_iter();
+ drop(bump);
+
+ for _ in 0..100 {
+ let reuse_bump = Bump::new();
+ let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]);
+ }
+
+ for x in into_iter {
+ print!("0x{:02x} ", x);
+ }
+ println!();
+}
+```
+
+The issue was corrected in version 3.11.1 by adding a lifetime to the
`IntoIter`
+type, and updating the signature of `Vec::into_iter()` to constrain this
+lifetime.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/capnp/RUSTSEC-2022-0068.md
new/advisory-db-20230117/crates/capnp/RUSTSEC-2022-0068.md
--- old/advisory-db-20221102/crates/capnp/RUSTSEC-2022-0068.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/capnp/RUSTSEC-2022-0068.md 2023-01-16
10:26:23.000000000 +0100
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0068"
+package = "capnp"
+date = "2022-11-30"
+url =
"https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md";
+references =
["https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html";,
"https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx";]
+categories = ["memory-exposure"]
+aliases = ["CVE-2022-46149", "GHSA-qqff-4vw4-f6hx"]
+
+[versions]
+patched = [">= 0.15.2", "^0.14.11", "^0.13.7"]
+```
+
+# out-of-bounds read possible when setting list-of-pointers
+
+If a message consumer expects data
+of type "list of pointers",
+and if the consumer performs certain specific actions on such data,
+then a message producer can cause the consumer to read out-of-bounds memory.
+This could trigger a process crash in the consumer,
+or in some cases could allow exfiltration of private in-memory data.
+
+The C++ Cap'n Proto library is also affected by this bug.
+See the
[advisory](https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md)
+on the main Cap'n Proto repo for a succinct description of
+the exact circumstances in which the problem can arise.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/claim/RUSTSEC-2022-0077.md
new/advisory-db-20230117/crates/claim/RUSTSEC-2022-0077.md
--- old/advisory-db-20221102/crates/claim/RUSTSEC-2022-0077.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/claim/RUSTSEC-2022-0077.md 2023-01-16
10:26:23.000000000 +0100
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0077"
+package = "claim"
+date = "2022-12-04"
+url = "https://github.com/svartalf/rust-claim/issues/12";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# `claim` is Unmaintained
+
+The last release was in February 2021, almost two years ago.
+
+The maintainer has been unresponsive regarding this crate for over a year.
+
+A pending issue with `claim`'s dependencies has made the crate [difficul to
use](https://github.com/svartalf/rust-claim/issues/9)
+
+## Possible Alternative(s)
+
+The below list has not been vetted in any way and may or may not contain
alternatives;
+
+- [`claims`](https://crates.io/crates/claims), a direct fork of the `claim`
crate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/conduit-hyper/RUSTSEC-2022-0066.md
new/advisory-db-20230117/crates/conduit-hyper/RUSTSEC-2022-0066.md
--- old/advisory-db-20221102/crates/conduit-hyper/RUSTSEC-2022-0066.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/conduit-hyper/RUSTSEC-2022-0066.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0066"
+package = "conduit-hyper"
+date = "2022-10-30"
+url =
"https://github.com/conduit-rust/conduit-hyper/security/advisories/GHSA-9398-5ghf-7pr6";
+categories = ["denial-of-service"]
+aliases = ["GHSA-9398-5ghf-7pr6", "CVE-2022-39294"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.4.2"]
+unaffected = ["< 0.2.0-alpha.3"]
+```
+
+# Denial of Service from unchecked request length
+
+Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's
+length before calling `hyper::body::to_bytes`. An attacker could send a
+malicious request with an abnormally large `Content-Length`, which could lead
+to a panic if memory allocation failed for that request.
+
+In version 0.4.2, `conduit-hyper` sets an internal limit of 128 MiB per
+request, otherwise returning status 400 ("Bad Request").
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/csv-sniffer/RUSTSEC-2021-0088.md
new/advisory-db-20230117/crates/csv-sniffer/RUSTSEC-2021-0088.md
--- old/advisory-db-20221102/crates/csv-sniffer/RUSTSEC-2021-0088.md
2022-11-01 18:11:10.000000000 +0100
+++ new/advisory-db-20230117/crates/csv-sniffer/RUSTSEC-2021-0088.md
2023-01-16 10:26:23.000000000 +0100
@@ -4,11 +4,12 @@
package = "csv-sniffer"
date = "2021-01-05"
url = "https://github.com/jblondin/csv-sniffer/issues/1";
+references = ["https://github.com/jblondin/csv-sniffer/pull/2";]
categories = ["memory-exposure"]
informational = "unsound"
[versions]
-patched = []
+patched = [">= 0.2.0"]
```
# `Read` on uninitialized memory may cause UB (fn preamble_skipcount())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/elf_rs/RUSTSEC-2022-0079.md
new/advisory-db-20230117/crates/elf_rs/RUSTSEC-2022-0079.md
--- old/advisory-db-20221102/crates/elf_rs/RUSTSEC-2022-0079.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/elf_rs/RUSTSEC-2022-0079.md 2023-01-16
10:26:23.000000000 +0100
@@ -0,0 +1,44 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0079"
+package = "elf_rs"
+date = "2022-10-31"
+url = "https://github.com/vincenthouyi/elf_rs/issues/11";
+categories = ["memory-corruption"]
+keywords = ["elf", "header"]
+
+[versions]
+patched = []
+
+[affected]
+```
+
+# ELF header parsing library doesn't check for valid offset
+
+The crate has several unsafe sections that don't perform proper pointer
validation.
+
+An example can be found in the following function:
+
+```
+fn section_header_raw(&self) -> &[ET::SectionHeader] {
+ let sh_off = self.elf_header().section_header_offset() as usize;
+ let sh_num = self.elf_header().section_header_entry_num() as usize;
+ unsafe {
+ let sh_ptr = self.content().as_ptr().add(sh_off);
+ from_raw_parts(sh_ptr as *const ET::SectionHeader, sh_num)
+ }
+}
+```
+
+While this will work perfectly fine *if* the ELF header is valid, malicious or
+malformed input can contain a section header offset of an arbitrary size,
meaning
+that the resultant pointer in the unsafe block can point to an artibrary
address
+in the address space of the process.
+
+This can result in unpredictable behaviour, and in our fuzz testing, we
discovered
+that it's trivial to cause SIGABRT (signal 6), or SEGV (signal 11).
+
+The function should either be marked as unsafe, with a note that the caller is
responsible
+for providing only valid inputs, or it should ideally do the due diligence to
ensure that the
+offset doesn't exceed the bounds of the header (and add additional checks as
necessary).
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/flumedb/RUSTSEC-2021-0086.md
new/advisory-db-20230117/crates/flumedb/RUSTSEC-2021-0086.md
--- old/advisory-db-20221102/crates/flumedb/RUSTSEC-2021-0086.md
2022-11-01 18:11:10.000000000 +0100
+++ new/advisory-db-20230117/crates/flumedb/RUSTSEC-2021-0086.md
2023-01-16 10:26:23.000000000 +0100
@@ -4,11 +4,12 @@
package = "flumedb"
date = "2021-01-07"
url = "https://github.com/sunrise-choir/flumedb-rs/issues/10";
+references = ["https://github.com/sunrise-choir/flumedb-rs/pull/12";]
categories = ["memory-exposure"]
informational = "unsound"
[versions]
-patched = []
+patched = [">=0.1.6"]
```
# `Read` on uninitialized buffer may cause UB ( `read_entry()` )
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/git2/RUSTSEC-2023-0002.md
new/advisory-db-20230117/crates/git2/RUSTSEC-2023-0002.md
--- old/advisory-db-20221102/crates/git2/RUSTSEC-2023-0002.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/git2/RUSTSEC-2023-0002.md 2023-01-16
10:26:23.000000000 +0100
@@ -0,0 +1,86 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0002"
+package = "git2"
+date = "2023-01-12"
+url = "https://github.com/rust-lang/git2-rs/pull/909";
+references = ["https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html";]
+categories = ["crypto-failure"]
+keywords = ["cargo", "ssh", "mitm"]
+withdrawn = "2023-01-13"
+
+[versions]
+patched = [">= 0.16.0"]
+```
+
+# git2 Rust package suppresses ssh host key checking
+
+By default, when accessing an ssh repository
+(ie via an `ssh:` git repository url)
+the git2 Rust package does not do any host key checking.
+
+Additionally,
+the provided API is not sufficient for a an application
+to do meaningful checking itself.
+
+## Impact
+
+When connecting to an ssh repository,
+and when an attacker can redirect the connection
+(performing a malice-in-the-middle attack)
+an affected application might:
+
+ * Receive git objects and branches controlled by the attacker,
+ exposing the local system (and whatever happens next)
+ to malicious data.
+ In many circumstances,
+ this could readily lead to privilege escalation.
+
+ * Erroneously send git objects to the attacker,
+ rather than to the intended recipient.
+ If the information is not supposed to be public,
+ this would constitute an information leak.
+ Also, since the data doesn't arrive where intended,
+ it consitutes a denial of service.
+
+## Technical details
+
+The `git2` Rust package (henceforth, git2-rs)
+unconditionally calls the underlying C `libgit2` functions to set
+an ssh certificate check callback.
+The Rust package uses this to offer
+the ability for the application to set a callback to a Rust function.
+
+The C-level callback function provided by git2-rs 0.15.0 and earlier:
+
+ * Always ignores the `is_valid` argument provided by `libgit2`,
+ which indicates whether `libgit2` considers the host key valid
+
+ * By default, performs no checks, and then
+ returns code `0`,
+ indicating to `libgit2` to override `libgit2`'s determination
+ and treat the host key as valid.
+
+ * Provides only limited APIs to the application
+ for examining the supplied host key,
+ and doesn't tell the application
+ whether `libgit2`'s checks succeeded,
+ so it is difficult for the application cannot work around the problem.
+
+## Resolution
+
+Upgrade to git2-rs 0.16.x.
+
+The default behaviour in 0.16.x is to
+honour `libgit2`'s validity determination.
+
+Note that adding this previously skipped check
+may cause existing setups to stop working.
+
+## Relationship to CVE-2022-46176
+
+This bug manifested in cargo where it was assigned CVE-2022-46176.
+
+The same bug exists in other applications which use
+affected versions of git2-rs
+unless they never try to access git repositories with `ssh:` urls.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/hyper-staticfile/RUSTSEC-2022-0069.md
new/advisory-db-20230117/crates/hyper-staticfile/RUSTSEC-2022-0069.md
--- old/advisory-db-20221102/crates/hyper-staticfile/RUSTSEC-2022-0069.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/hyper-staticfile/RUSTSEC-2022-0069.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0069"
+package = "hyper-staticfile"
+date = "2022-11-30"
+url = "https://github.com/stephank/hyper-staticfile/issues/35";
+categories = ["file-disclosure"]
+keywords = ["directory traversal", "http"]
+
+[affected]
+os = ["windows"]
+
+[versions]
+patched = ["^0.9.2", ">= 0.10.0-alpha.2"]
+```
+
+# Improper validation of Windows paths could lead to directory traversal attack
+
+Path resolution in `hyper-staticfile` didn't correctly validate Windows paths
+meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed
+and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users
+could potentially read files anywhere on the filesystem.
+
+This only impacts Windows. Linux and other unix likes are not impacted by this.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/hyper-staticfile/RUSTSEC-2022-0072.md
new/advisory-db-20230117/crates/hyper-staticfile/RUSTSEC-2022-0072.md
--- old/advisory-db-20221102/crates/hyper-staticfile/RUSTSEC-2022-0072.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/hyper-staticfile/RUSTSEC-2022-0072.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0072"
+package = "hyper-staticfile"
+date = "2022-12-23"
+url =
"https://github.com/stephank/hyper-staticfile/commit/f12cadc6666c6f555d29725f5bc45da2103f24ea";
+categories = ["format-injection"]
+keywords = ["open redirect", "http"]
+
+[versions]
+patched = ["^0.9.4", ">= 0.10.0-alpha.5"]
+```
+
+# Location header incorporates user input, allowing open redirect
+
+When `hyper-staticfile` performs a redirect for a directory request (e.g. a
+request for `/dir` that redirects to `/dir/`), the `Location` header value was
+derived from user input (the request path), simply appending a slash. The
+intent was to perform an origin-relative redirect, but specific inputs
+allowed performing a scheme-relative redirect instead.
+
+An attacker could craft a special URL that would appear to be for the correct
+domain, but immediately redirects to a malicious domain. Such a URL can benefit
+phishing attacks, for example an innocent looking link in an email.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20221102/crates/lzf/RUSTSEC-2022-0067.md
new/advisory-db-20230117/crates/lzf/RUSTSEC-2022-0067.md
--- old/advisory-db-20221102/crates/lzf/RUSTSEC-2022-0067.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/lzf/RUSTSEC-2022-0067.md 2023-01-16
10:26:23.000000000 +0100
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0067"
+package = "lzf"
+date = "2022-10-22"
+url = "https://github.com/badboy/lzf-rs/issues/9";
+informational = "unsound"
+keywords = ["uninitialized-memory"]
+
+[versions]
+patched = [">= 0.3.2"]
+
+[affected]
+functions = { "lzf::compress" = ["< 0.3.2"], "lzf::decompress" = ["< 0.3.2"] }
+```
+
+# Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`
+
+The compression and decompression function used `mem:uninitialized`
+to create an array of uninitialized values, to later write values into it.
+This later leads to reads from uninitialized memory.
+
+The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf
+by using a heap-allocated `Vec` and removing out use of `mem::uninitialized`.
+The fix was released in v0.3.2 and v1.0.0
+
+Subsequently the crate was deprecated and its use is discouraged.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/parity-util-mem/RUSTSEC-2022-0080.md
new/advisory-db-20230117/crates/parity-util-mem/RUSTSEC-2022-0080.md
--- old/advisory-db-20221102/crates/parity-util-mem/RUSTSEC-2022-0080.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/parity-util-mem/RUSTSEC-2022-0080.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0080"
+package = "parity-util-mem"
+date = "2022-11-30"
+url = "https://github.com/paritytech/parity-common/pull/696";
+references = ["https://github.com/paritytech/parity-common/issues/607";,
"https://github.com/paritytech/parity-common/pull/697";]
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+# parity-util-mem Unmaintained
+
+The crate has been deprecated and will receive no updates with no repository
source.
+
+The crate has [a warning](https://crates.io/crates/parity-util-mem)
surrounding it's use related to global allocator use that may lead to UB.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/prettytable-rs/RUSTSEC-2022-0074.md
new/advisory-db-20230117/crates/prettytable-rs/RUSTSEC-2022-0074.md
--- old/advisory-db-20221102/crates/prettytable-rs/RUSTSEC-2022-0074.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/prettytable-rs/RUSTSEC-2022-0074.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0074"
+package = "prettytable-rs"
+date = "2022-12-02"
+url = "https://github.com/phsym/prettytable-rs/issues/145";
+informational = "unsound"
+keywords = ["tab", "table", "format", "pretty", "print"]
+
+[versions]
+patched = [">= 0.10.0"]
+```
+
+# Force cast a &Vec<T> to &[T]
+
+In function `Table::as_ref`, a reference of vector is force cast to slice.
There are multiple problems here:
+1. To guarantee the size is correct, we have to first do `Vec::shrink_to_fit`.
The function requires a mutable reference, so we have to force cast from
immutable to mutable, which is UB.
+2. Even if (1) is sound, `&Vec<T>` and `&[T]` still might not have the same
layout. Treating them equally may lead to UB.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/rusoto_credential/RUSTSEC-2022-0071.md
new/advisory-db-20230117/crates/rusoto_credential/RUSTSEC-2022-0071.md
--- old/advisory-db-20221102/crates/rusoto_credential/RUSTSEC-2022-0071.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/rusoto_credential/RUSTSEC-2022-0071.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0071"
+package = "rusoto_credential"
+date = "2022-04-24"
+url = "https://github.com/rusoto/rusoto/issues/1651";
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# Rusoto is unmaintained
+
+The maintainers of Rusoto advise that all its crates are deprecated. This
includes the common crates `rusoto_core`, `rusoto_signature`,
`rusoto_credential`, and service crates such as `rusoto_s3` and `rusoto_ec2`.
+
+Users should migrate to the [AWS SDK for
Rust](https://github.com/awslabs/aws-sdk-rust), which is maintained by AWS.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/rustsec-example-crate/RUSTSEC-2019-0024.md
new/advisory-db-20230117/crates/rustsec-example-crate/RUSTSEC-2019-0024.md
--- old/advisory-db-20221102/crates/rustsec-example-crate/RUSTSEC-2019-0024.md
2022-11-01 18:11:10.000000000 +0100
+++ new/advisory-db-20230117/crates/rustsec-example-crate/RUSTSEC-2019-0024.md
2023-01-16 10:26:23.000000000 +0100
@@ -7,6 +7,7 @@
[versions]
patched = [">= 1.0.0"]
+unaffected = ["< 0.0.1"]
```
# Test advisory with associated example crate
@@ -17,13 +18,12 @@
itself to be a normal security advisory.
It's filed against `rustsec-example-crate`, an otherwise completely empty crate
-with no functionality or code, which has two releases:
+with no functionality or code, which has three releases:
+- [v0.0.0] - *unaffected* by this advisory (but *yanked* from crates.io)
- [v0.0.1] - *vulnerable* according to this advisory
- [v1.0.0] - *patched* by this advisory
-(Technically there is a third release, v0.0.0, which is yanked, but otherwise
-identical to the v0.0.1 release)
-
+[v0.0.0]: https://crates.io/crates/rustsec-example-crate/0.0.0
[v0.0.1]: https://crates.io/crates/rustsec-example-crate/0.0.1
[v1.0.0]: https://crates.io/crates/rustsec-example-crate/1.0.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/secp256k1/RUSTSEC-2022-0070.md
new/advisory-db-20230117/crates/secp256k1/RUSTSEC-2022-0070.md
--- old/advisory-db-20221102/crates/secp256k1/RUSTSEC-2022-0070.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/secp256k1/RUSTSEC-2022-0070.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,36 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0070"
+package = "secp256k1"
+date = "2022-11-30"
+
+url = "https://github.com/rust-bitcoin/rust-secp256k1/issues/543";
+references = ["https://github.com/rust-bitcoin/rust-secp256k1/pull/548";]
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["use-after-free", "unsound-api", "invalid-free"]
+
+[affected]
+functions = { "secp256k1::Secp256k1::preallocated_gen_new" = ["< 0.22.2", ">=
0.23.0, < 0.23.5", ">= 0.24.0, < 0.24.2"] }
+
+[versions]
+patched = [">= 0.22.2, < 0.23.0", ">= 0.23.5, < 0.24.0", ">= 0.24.2"]
+
+unaffected = ["< 0.14.0"]
+```
+
+# Unsound API in `secp256k1` allows use-after-free and invalid deallocation
from safe code
+
+Because of incorrect bounds on method `Secp256k1::preallocated_gen_new` it was
possible to cause use-after-free from safe consumer code. It was also possible
to "free" memory not allocated by the appropriate allocator.
+
+The method takes a place for storing the context as a mutable reference and
returns context containing that reference. Because the code internally uses
`unsafe` and the bounds were incorrect it was possible to create a context that
outlived the passed reference (e.g. `'static`). Because the context can
alternatively carry heap-allocated pointer freed on drop it was possible to
"deallocate" a pointer that wasn't returned from appropriate allocator. The
code decides whether to free the memory based on type parameter but because of
missing bound it was possible to construct the context with invalid parameter.
+
+You are unaffected if you either
+
+* don't call `Secp256k1::preallocated_gen_new`
+* manually checked that your usage of the method is sound
+* upgraded to the patched version of `secp256k1` (recommended)
+
+The patched version uses correct bounds which means it is API-breaking. This
effectively means adopting the policy of Rust lang itself allowing API-breaking
changes to fix soundness bugs. Note however that valid straigthforward usage of
the code will continue to compile. Only unsound code or code that propagates
the bound in custom generics will fail to compile. If the code is sound fixing
the bounds should be sufficient to make the code compile.
+
+See the [GitHub
issue](https://github.com/rust-bitcoin/rust-secp256k1/issues/543) for example
"exploit" code and further discussion.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/slock/RUSTSEC-2020-0135.md
new/advisory-db-20230117/crates/slock/RUSTSEC-2020-0135.md
--- old/advisory-db-20221102/crates/slock/RUSTSEC-2020-0135.md 2022-11-01
18:11:10.000000000 +0100
+++ new/advisory-db-20230117/crates/slock/RUSTSEC-2020-0135.md 2023-01-16
10:26:23.000000000 +0100
@@ -9,7 +9,7 @@
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
[versions]
-patched = []
+patched = [">= 0.2.0"]
```
# Slock<T> allows sending non-Send types across thread boundaries
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/tokio/RUSTSEC-2023-0001.md
new/advisory-db-20230117/crates/tokio/RUSTSEC-2023-0001.md
--- old/advisory-db-20221102/crates/tokio/RUSTSEC-2023-0001.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/tokio/RUSTSEC-2023-0001.md 2023-01-16
10:26:23.000000000 +0100
@@ -0,0 +1,39 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0001"
+package = "tokio"
+aliases = ["CVE-2023-22466", "GHSA-7rrj-xr53-82p7"]
+date = "2023-01-04"
+url =
"https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7";
+references = ["https://github.com/tokio-rs/tokio/pull/5336";,
"https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients";]
+keywords = ["configuration failure"]
+
+[versions]
+patched = [">= 1.18.4, < 1.19.0", ">= 1.20.3, < 1.21.0", ">= 1.23.1"]
+unaffected = ["< 1.7.0"]
+
+[affected]
+os = ["windows"]
+```
+
+# reject_remote_clients Configuration corruption
+
+On Windows, configuring a named pipe server with [pipe_mode] will force
[ServerOptions]::[reject_remote_clients] as `false`.
+
+This drops any intended explicit configuration for the [reject_remote_clients]
that may have been set as `true` previously.
+
+The default setting of [reject_remote_clients] is normally `true` meaning the
default is also overriden as `false`.
+
+## Workarounds
+
+Ensure that [pipe_mode] is set first after initializing a [ServerOptions]. For
example:
+
+```rust
+let mut opts = ServerOptions::new();
+opts.pipe_mode(PipeMode::Message);
+opts.reject_remote_clients(true);
+```
+
+[ServerOptions]:
https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html
+[pipe_mode]:
https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html#method.pipe_mode
+[reject_remote_clients]:
https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html#method.reject_remote_clients
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/twoway/RUSTSEC-2021-0146.md
new/advisory-db-20230117/crates/twoway/RUSTSEC-2021-0146.md
--- old/advisory-db-20221102/crates/twoway/RUSTSEC-2021-0146.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/twoway/RUSTSEC-2021-0146.md 2023-01-16
10:26:23.000000000 +0100
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0146"
+package = "twoway"
+date = "2021-05-20"
+url = "https://github.com/bluss/twoway";
+references =
["https://github.com/bluss/twoway/commit/e99b3c718df1117ad7f54c33f6540c8f46cc17dd";]
+informational = "unmaintained"
+
+[versions]
+patched = []
+```
+
+# Crate `twoway` deprecated by the author
+
+The commit
[`e99b3c7`](https://github.com/bluss/twoway/commit/e99b3c718df1117ad7f54c33f6540c8f46cc17dd)
releasing version 0.2.2 explicitely deprecates `twoway` in favour of
[`memchr`](https://crates.io/crates/memchr) crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/wasmtime/RUSTSEC-2022-0075.md
new/advisory-db-20230117/crates/wasmtime/RUSTSEC-2022-0075.md
--- old/advisory-db-20221102/crates/wasmtime/RUSTSEC-2022-0075.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/wasmtime/RUSTSEC-2022-0075.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0075"
+package = "wasmtime"
+date = "2022-11-10"
+url =
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-wh6w-3828-g9qf";
+references =
["https://github.com/bytecodealliance/wasmtime/commit/2614f2e9d2d36805ead8a8da0fa0c6e0d9e428a0";,
"https://github.com/bytecodealliance/wasmtime/commit/3535acbf3be032ef1ba0b469b8ab92538a8a18a6";]
+categories = ["memory-exposure"]
+keywords = ["use-after-free", "Wasm", "garbage collection"]
+aliases = ["CVE-2022-39393", "GHSA-wh6w-3828-g9qf"]
+
+[versions]
+patched = [">= 1.0.2, < 2.0.0", ">= 2.0.2"]
+```
+
+# Bug in pooling instance allocator
+
+bug in Wasmtime's implementation of its pooling instance allocator where when
a linear memory is reused for another instance the initial heap snapshot of the
prior instance can be visible, erroneously to the next instance.
+
+Mitigations are described
[here](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-wh6w-3828-g9qf).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20221102/crates/wasmtime/RUSTSEC-2022-0076.md
new/advisory-db-20230117/crates/wasmtime/RUSTSEC-2022-0076.md
--- old/advisory-db-20221102/crates/wasmtime/RUSTSEC-2022-0076.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230117/crates/wasmtime/RUSTSEC-2022-0076.md
2023-01-16 10:26:23.000000000 +0100
@@ -0,0 +1,32 @@
+```toml
+[advisory]
+id = "RUSTSEC-2022-0076"
+package = "wasmtime"
+date = "2022-11-10"
+url =
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-44mr-8vmm-wjhg";
+references =
["https://github.com/bytecodealliance/wasmtime/commit/e60c3742904ccbb3e26da201c9221c38a4981d72";]
+categories = ["memory-corruption", "memory-exposure"]
+keywords = ["memory", "allocator", "Wasm", "bounds", "sandbox", "paging"]
+cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+aliases = ["CVE-2022-39392", "GHSA-44mr-8vmm-wjhg"]
+
+[versions]
+patched = [">= 2.0.2"]
+
+[affected]
+functions = { "wasmtime::PoolingAllocationConfig::instance_memory_pages" = ["<
2.0.2"] }
+```
+
+# Bug in Wasmtime implementation of pooling instance allocator
+
+Bug in Wasmtime's implementation of its pooling instance allocator when the
allocator is configured to give WebAssembly instances a maximum of zero pages
of memory.
+
+In this configuration, the virtual memory mapping for WebAssembly memories did
not meet the compiler-required configuration requirements for safely executing
WebAssembly modules. Wasmtime's default settings require virtual memory page
faults to indicate that wasm reads/writes are out-of-bounds, but the pooling
allocator's configuration would not create an appropriate virtual memory
mapping for this meaning out of bounds reads/writes can successfully read/write
memory unrelated to the wasm sandbox within range of the base address of the
memory mapping created by the pooling allocator.
+
+This bug is not applicable with the default settings of the `wasmtime` crate.
+
+This bug can only be triggered by setting `InstanceLimits::memory_pages` to
zero.
+
+This is expected to be a very rare configuration since this means that wasm
modules cannot allocate any pages of linear memory.
+
+All wasm modules produced by all current toolchains are highly likely to use
linear memory, so it's expected to be unlikely that this configuration is set
to zero by any production embedding of Wasmtime.
