commit cargo-audit-advisory-db for openSUSE:Factory

Source-Sync Tue, 01 Aug 2023 06:38:56 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cargo-audit-advisory-db for 
openSUSE:Factory checked in at 2023-08-01 15:38:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
 and      /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.32662 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "cargo-audit-advisory-db"

Tue Aug  1 15:38:38 2023 rev:34 rq:1101676 version:20230731

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
  2023-07-11 15:57:29.921239566 +0200
+++ 
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.32662/cargo-audit-advisory-db.changes
       2023-08-01 15:38:40.441873868 +0200
@@ -1,0 +2,15 @@
+Mon Jul 31 04:07:19 UTC 2023 - [email protected]
+
+- Update to version 20230731:
+  * Update aliases from GHSA OSV export (#1734)
+  * Assigned RUSTSEC-2023-0048 to intaglio (#1733)
+  * Add advisory for unsoundness in intaglio symbol interners (#1732)
+  * Assigned RUSTSEC-2023-0047 to lmdb-rs (#1730)
+  * report unsoundness of lmdb-rs (#1724)
+  * Fix typos (#1729)
+  * Bump rustsec-admin to 0.8.6 (#1728)
+  * Update aliases from GHSA OSV export (#1727)
+  * Update RUSTSEC-2021-0145.md with stable IsTerminal (#1725)
+  * Assigned RUSTSEC-2023-0046 to cyfs-base (#1723)
+
+-------------------------------------------------------------------

Old:
----
  advisory-db-20230711.tar.xz

New:
----
  advisory-db-20230731.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.XziKuT/_old  2023-08-01 15:38:42.289885312 +0200
+++ /var/tmp/diff_new_pack.XziKuT/_new  2023-08-01 15:38:42.337885609 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           cargo-audit-advisory-db
-Version:        20230711
+Version:        20230731
 Release:        0
 Summary:        A database of known security issues for Rust depedencies
 License:        CC0-1.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.XziKuT/_old  2023-08-01 15:38:42.689887789 +0200
+++ /var/tmp/diff_new_pack.XziKuT/_new  2023-08-01 15:38:42.721887987 +0200
@@ -2,7 +2,7 @@
   <service mode="disabled" name="obs_scm">
     <param name="url">https://github.com/RustSec/advisory-db.git</param>
     <param name="scm">git</param>
-    <param name="version">20230711</param>
+    <param name="version">20230731</param>
     <param name="revision">main</param>
     <param name="changesgenerate">enable</param>
     <param name="changesauthor">[email protected]</param>

++++++ advisory-db-20230711.tar.xz -> advisory-db-20230731.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20230711/.duplicate-id-guard 
new/advisory-db-20230731/.duplicate-id-guard
--- old/advisory-db-20230711/.duplicate-id-guard        2023-07-08 
16:04:33.000000000 +0200
+++ new/advisory-db-20230731/.duplicate-id-guard        2023-07-29 
19:20:00.000000000 +0200
@@ -1,3 +1,3 @@
 This file causes merge conflicts if two ID assignment jobs run concurrently.
 This prevents duplicate ID assignment due to a race between those jobs.
-aee1905cc6111a8085b4836e39124a2cc0f34e8106f07f116df13ee0057dc8e3  -
+c180e114f092d808a8efaab98d0138ec1d49f659bfc4edfb340dd84e2fedd88b  -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20230711/crates/intaglio/RUSTSEC-2023-0048.md 
new/advisory-db-20230731/crates/intaglio/RUSTSEC-2023-0048.md
--- old/advisory-db-20230711/crates/intaglio/RUSTSEC-2023-0048.md       
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230731/crates/intaglio/RUSTSEC-2023-0048.md       
2023-07-29 19:20:00.000000000 +0200
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0048"
+package = "intaglio"
+date = "2023-07-26"
+url = "https://github.com/artichoke/intaglio/pull/236";
+references = [
+  "https://github.com/artichoke/intaglio/issues/235";,
+  "https://github.com/artichoke/intaglio/pull/236";,
+  "https://github.com/artichoke/intaglio/releases/tag/v1.9.0";,
+]
+informational = "unsound"
+aliases = ["GHSA-gch5-hwqf-mxhp"]
+
+[affected]
+functions = { "intaglio::SymbolTable::intern" = ["< 1.9.0"], 
"intaglio::bytes::SymbolTable::intern" = ["< 1.9.0"], 
"intaglio::cstr::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"], 
"intaglio::osstr::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"], 
"intaglio::path::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"] }
+
+[versions]
+patched = [">= 1.9.0"]
+```
+
+# Unsoundness in `intern` methods on `intaglio` symbol interners
+
+Affected versions of this crate have a stacked borrows violation when creating
+references to interned contents. All interner types are affected.
+
+The flaw was corrected in version 1.9.0 by reordering move and borrowing
+operations and storing interned contents by raw pointer instead of as a `Box`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20230711/crates/lmdb-rs/RUSTSEC-2023-0047.md 
new/advisory-db-20230731/crates/lmdb-rs/RUSTSEC-2023-0047.md
--- old/advisory-db-20230711/crates/lmdb-rs/RUSTSEC-2023-0047.md        
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20230731/crates/lmdb-rs/RUSTSEC-2023-0047.md        
2023-07-29 19:20:00.000000000 +0200
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-2023-0047"
+package = "lmdb-rs"
+date = "2023-06-26"
+informational = "unsound"
+url = "https://github.com/vhbit/lmdb-rs/issues/67";
+keywords = ["unsound"]
+aliases = ["GHSA-f9g6-fp84-fv92"]
+
+[versions]
+patched = []
+```
+
+# impl `FromMdbValue` for bool is unsound
+The implementation of `FromMdbValue` have several unsoundness issues. First of 
all, it allows to reinterpret arbitrary bytes as a bool and could make 
undefined behavior happen with safe function. Secondly, it allows transmuting 
pointer without taking memory layout into consideration. The details of 
reproducing the bug were included in url above.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/advisory-db-20230711/crates/stb_image/RUSTSEC-2023-0021.md 
new/advisory-db-20230731/crates/stb_image/RUSTSEC-2023-0021.md
--- old/advisory-db-20230711/crates/stb_image/RUSTSEC-2023-0021.md      
2023-07-08 16:04:33.000000000 +0200
+++ new/advisory-db-20230731/crates/stb_image/RUSTSEC-2023-0021.md      
2023-07-29 19:20:00.000000000 +0200
@@ -12,7 +12,7 @@
 patched = [">= 0.2.5"]
 ```
 
-# NULL pointer derefernce in `stb_image`
+# NULL pointer dereference in `stb_image`
 
 A bug in error handling in the `stb_image` C library could cause a NULL 
pointer dereference when attempting to load an invalid or unsupported image 
file.  This is fixed in version 0.2.5 and later of the `stb_image` Rust crate, 
by patching the C code to correctly handle NULL pointers.
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20230711/rust/std/CVE-2021-28877.md 
new/advisory-db-20230731/rust/std/CVE-2021-28877.md
--- old/advisory-db-20230711/rust/std/CVE-2021-28877.md 2023-07-08 
16:04:33.000000000 +0200
+++ new/advisory-db-20230731/rust/std/CVE-2021-28877.md 2023-07-29 
19:20:00.000000000 +0200
@@ -11,6 +11,6 @@
 unaffected = ["< 1.11.0"]
 ```
 
-# TrustedRandomAaccess specialization composes incorrectly for nested 
iter::Zips
+# TrustedRandomAccess specialization composes incorrectly for nested iter::Zips
 
-In the standard library in Rust before 1.51.0, the Zip implementation calls 
__iterator_get_unchecked() for the same index more than once when nested. This 
bug can lead to a memory safety violation due to an unmet safety requirement 
for the TrustedRandomAccess trait.
+In the standard library in Rust before 1.51.0, the Zip implementation calls 
`__iterator_get_unchecked()` for the same index more than once when nested. 
This bug can lead to a memory safety violation due to an unmet safety 
requirement for the `TrustedRandomAccess` trait.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/advisory-db-20230711/rust/std/CVE-2021-29922.md 
new/advisory-db-20230731/rust/std/CVE-2021-29922.md
--- old/advisory-db-20230711/rust/std/CVE-2021-29922.md 2023-07-08 
16:04:33.000000000 +0200
+++ new/advisory-db-20230731/rust/std/CVE-2021-29922.md 2023-07-29 
19:20:00.000000000 +0200
@@ -20,7 +20,7 @@
 
 Improper input validation of octal strings in rust-lang standard library `net` 
allows unauthenticated remote attackers to perform
 indeterminate SSRF, RFI, and LFI attacks on many programs that rely on 
rust-lang std::net.
-IP address octects are left stripped instead of evaluated as valid IP 
addresses.
+IP address octets are left stripped instead of evaluated as valid IP addresses.
 For example, an attacker submitting an IP address to a web application that 
relies on `std::net::IpAddr`,
 could cause SSRF via inputting octal input data;
 An attacker can submit exploitable IP addresses if the octet is 3 digits,

commit cargo-audit-advisory-db for openSUSE:Factory

Reply via email to