Merge pull request #236 from RustSec/migrate-to-v2-format

Migrate all advisories to V2 format (closes #228)

README.md

@@ -43,21 +43,6 @@ date = "2019-10-01"
 # Single-line description of a vulnerability (mandatory)
 title = "Flaw in X allows Y"
 
-# Enter a short-form description of the vulnerability here (mandatory)
-description = """
-Affected versions of this crate did not properly X.
-
-This allows an attacker to Y.
- 
-The flaw was corrected by Z.
-"""
-
-# Versions which include fixes for this vulnerability (mandatory)
-patched_versions = [">= 1.2.0"]
-
-# Versions which were never vulnerable (optional)
-#unaffected_versions = ["< 1.1.0"]
-
 # URL to a long-form description of this issue, e.g. a GitHub issue/PR,
 # a change log entry, or a blogpost announcing the release (optional)
 url = "https://github.com/mystuff/mycrate/issues/123"
@@ -78,6 +63,15 @@ keywords = ["ssl", "mitm"]
 # e.g. CVE for a C library wrapped by a -sys crate)
 #references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]
 
+# Enter a short-form description of the vulnerability here (mandatory)
+description = """
+Affected versions of this crate did not properly X.
+
+This allows an attacker to Y.
+ 
+The flaw was corrected by Z.
+"""
+
 # Optional: metadata which narrows the scope of what this advisory affects
 [affected]
 # CPU architectures impacted by this vulnerability (optional).
@@ -100,6 +94,13 @@ keywords = ["ssl", "mitm"]
 # The path syntax is `cratename::path::to::function`, without any
 # parameters or additional information, followed by a list of version reqs.
 functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] }
+
+# Versions which include fixes for this vulnerability (mandatory)
+[versions]
+patched = [">= 1.2.0"]
+
+# Versions which were never vulnerable (optional)
+#unaffected = ["< 1.1.0"]
 ```
 
 ## License

crates/ammonia/RUSTSEC-2019-0001.toml

@@ -3,6 +3,8 @@ id = "RUSTSEC-2019-0001"
 package = "ammonia"
 date = "2019-04-27"
 title = "Uncontrolled recursion leads to abort in HTML serialization"
+url = "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
+keywords = ["stack-overflow", "crash"]
 description = """
 Affected versions of this crate did use recursion for serialization of HTML
 DOM trees.
@@ -12,11 +14,11 @@ a pathologically nested input.
 
 The flaw was corrected by serializing the DOM tree iteratively instead.
 """
-patched_versions = [">= 2.1.0"]
-url = "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
-keywords = ["stack-overflow", "crash"]
 
 [affected.functions]
 "ammonia::clean" = ["< 2.1.0"]
 "ammonia::Document::to_string" = ["< 2.1.0"]
 "ammonia::Document::write_to" = ["< 2.1.0"]
+
+[versions]
+patched = [">= 2.1.0"]

crates/arrayfire/RUSTSEC-2018-0011.toml

@@ -3,6 +3,9 @@ id = "RUSTSEC-2018-0011"
 package = "arrayfire"
 date = "2018-12-18"
 title = "Enum repr causing potential memory corruption"
+url = "https://github.com/arrayfire/arrayfire-rust/pull/177"
+categories = ["memory-corruption"]
+keywords = ["enum", "repr"]
 description = """
 The attribute repr() added to enums to be compatible with C-FFI caused
 memory corruption on MSVC toolchain.
@@ -15,11 +18,10 @@ The issue seems to be interlinked with which version of Rust is being used.
 
 The issue was fixed in crate 3.6.0.
 """
-patched_versions = [">= 3.6.0"]
-unaffected_versions = ["<= 3.5.0"]
-url = "https://github.com/arrayfire/arrayfire-rust/pull/177"
-categories = ["memory-corruption"]
-keywords = ["enum", "repr"]
+
+[versions]
+patched = [">= 3.6.0"]
+unaffected = ["<= 3.5.0"]
 
 [affected]
 arch = ["x86_64"]

crates/asn1_der/RUSTSEC-2019-0007.toml

@@ -1,12 +1,10 @@
 [advisory]
 id = "RUSTSEC-2019-0007"
-
 package = "asn1_der"
-
 date = "2019-06-13"
-
 title = "Processing of maliciously crafted length fields causes memory allocation SIGABRTs"
-
+url = "https://github.com/KizzyCode/asn1_der/issues/1"
+keywords = ["dos"]
 description = """
 Affected versions of this crate tried to preallocate a vector for an arbitrary amount of bytes announced by the ASN.1-DER length field without further checks.
 
@@ -15,8 +13,5 @@ This allows an attacker to trigger a SIGABRT by creating length fields that anno
 The flaw was corrected by not preallocating memory.
 """
 
-patched_versions = [">= 0.6.2"]
-
-url = "https://github.com/KizzyCode/asn1_der/issues/1"
-
-keywords = ["dos"]
+[versions]
+patched = [">= 0.6.2"]

crates/base64/RUSTSEC-2017-0004.toml

@@ -4,7 +4,6 @@ package = "base64"
 date = "2017-05-03"
 url = "https://github.com/alicemaz/rust-base64/commit/24ead980daf11ba563e4fb2516187a56a71ad319"
 title = "Integer overflow leads to heap-based buffer overflow in encode_config_buf"
-patched_versions = [">= 0.5.2"]
 keywords = ["memory-corruption"]
 aliases = ["CVE-2017-1000430"]
 description = """
@@ -19,3 +18,6 @@ and possibly the execution of arbitrary code.
 This flaw was corrected by using checked arithmetic to calculate
 the size of the buffer.
 """
+
+[versions]
+patched = [">= 0.5.2"]

crates/blake2/RUSTSEC-2019-0019.toml

@@ -3,6 +3,8 @@ id = "RUSTSEC-2019-0019"
 package = "blake2"
 date = "2019-08-25"
 title = "HMAC-BLAKE2 algorithms compute incorrect results"
+url = "https://github.com/RustCrypto/MACs/issues/19"
+categories = ["crypto-failure"]
 description = """
 When used in conjunction with the Hash-based Message Authentication Code (HMAC),
 the BLAKE2b and BLAKE2s implementations in `blake2` crate versions prior to
@@ -15,6 +17,6 @@ The v0.8.1 release of the `blake2` crate uses the correct block sizes.
 Note that this advisory only impacts usage of BLAKE2 with HMAC, and does not
 impact `Digest` functionality.
 """
-patched_versions = [">= 0.8.1"]
-url = "https://github.com/RustCrypto/MACs/issues/19"
-categories = ["crypto-failure"]
+
+[versions]
+patched = [">= 0.8.1"]

crates/cassandra/RUSTSEC-2016-0006.toml

@@ -5,8 +5,6 @@ title = "`cassandra` crate is unmaintained; use `cassandra-cpp` instead"
 informational = "unmaintained"
 date = "2016-12-15"
 url = "https://github.com/tupshin/cassandra-rs/issues/52"
-unaffected_versions = ["> 0.8.1"] # last release
-patched_versions = []
 description = """
 The `cassandra` crate has not seen a release since December 2016, and its author
 is unresponsive.
@@ -15,3 +13,7 @@ The `cassandra-cpp` crate is a maintained fork:
 
 https://github.com/Metaswitch/cassandra-rs
 """
+
+[versions]
+patched = []
+unaffected = ["> 0.8.1"] # last release

crates/chacha20/RUSTSEC-2019-0029.toml

@@ -3,6 +3,8 @@ id = "RUSTSEC-2019-0029"
 package = "chacha20"
 date = "2019-10-22"
 title = "ChaCha20 counter overflow can expose repetitions in the keystream"
+url = "https://github.com/RustCrypto/stream-ciphers/pull/64"
+categories = ["crypto-failure"]
 description = """
 The ChaCha20 stream cipher can produce a maximum of 2^32 blocks (~256GB)
 before the 32-bit counter overflows. Releases of the `chacha20` crate prior
@@ -18,6 +20,6 @@ Users of the `chacha20poly1305` crate are unaffected by this as this crate
 properly asserts the length of the plaintext is less than the maximum allowed
 (`P_MAX` as described in RFC 8439 Section 2.8).
 """
-patched_versions = [">= 0.2.3"]
-url = "https://github.com/RustCrypto/stream-ciphers/pull/64"
-categories = ["crypto-failure"]
+
+[versions]
+patched = [">= 0.2.3"]

crates/chan/RUSTSEC-2018-0014.toml

@@ -5,8 +5,6 @@ title = "chan is end-of-life; use crossbeam-channel instead"
 informational = "unmaintained"
 date = "2018-07-31"
 url = "https://github.com/BurntSushi/chan/commit/0a5c0d4ad4adc90a54ee04a427389acf2e157275"
-unaffected_versions = ["> 0.1.23"] # last release
-patched_versions = []
 description = """
 **`chan` has reached its end-of-life and is now deprecated.**
 
@@ -16,3 +14,7 @@ Its API is strikingly similar, but comes with a much better `select!` macro,
 better performance, a better test suite and an all-around better
 implementation.
 """
+
+[versions]
+unaffected = ["> 0.1.23"] # last release
+patched = []

crates/chttp/RUSTSEC-2019-0016.toml

@@ -10,7 +10,9 @@ or be exploited to cause undefined behavior.
  
 A fix was published in version 0.1.3.
 """
-patched_versions = [">= 0.1.3"]
-unaffected_versions = ["< 0.1.1"]
 url = "https://github.com/sagebind/isahc/issues/2"
 keywords = ["memory-management", "memory-corruption"]
+
+[versions]
+patched = [">= 0.1.3"]
+unaffected = ["< 0.1.1"]

crates/claxon/RUSTSEC-2018-0004.toml

@@ -3,6 +3,8 @@ id = "RUSTSEC-2018-0004"
 package = "claxon"
 date = "2018-08-25"
 title = "Malicious input could cause uninitialized memory to be exposed"
+url = "https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c"
+keywords = ["uninitialized-memory"]
 description = """
 Affected versions of Claxon made an invalid assumption about the decode buffer
 size being a multiple of a value read from the bitstream. This could cause parts
@@ -17,6 +19,6 @@ the decode buffer size, and returning a format error if it does not. If an error
 is returned, the decode buffer is not exposed. Regression tests and an
 additional fuzzer have been added to prevent similar flaws in the future.
 """
-patched_versions = ["=0.3.2", ">= 0.4.1"]
-url = "https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c"
-keywords = ["uninitialized-memory"]
+
+[versions]
+patched = ["=0.3.2", ">= 0.4.1"]

crates/compact_arena/RUSTSEC-2019-0015.toml

@@ -3,6 +3,9 @@ id = "RUSTSEC-2019-0015"
 package = "compact_arena"
 date = "2019-05-21"
 title = "Flaw in generativity allows out-of-bounds access"
+url = "https://github.com/llogiq/compact_arena/issues/22"
+categories = ["memory-corruption"]
+keywords = ["uninitialized-memory"]
 description = """
 Affected versions of this crate did not properly implement the generativity,
 because the invariant lifetimes were not necessarily `drop`ped.
@@ -13,10 +16,9 @@ access into the memory reserved for the arena.
 
 The flaw was corrected by implementing generativity correctly in version 0.4.0.
 """
-patched_versions = [">= 0.4.0"]
-url = "https://github.com/llogiq/compact_arena/issues/22"
-categories = ["memory-corruption"]
-keywords = ["uninitialized-memory"]
 
 [affected.functions]
 "compact_arena::SmallArena::new" = ["< 0.4.0"]
+
+[versions]
+patched = [">= 0.4.0"]

crates/cookie/RUSTSEC-2017-0005.toml

@@ -1,7 +1,6 @@
 [advisory]
 id = "RUSTSEC-2017-0005"
 package = "cookie"
-patched_versions = ["< 0.6.0", "^0.6.2", ">= 0.7.6"]
 keywords = ["crash"]
 url = "https://github.com/alexcrichton/cookie-rs/pull/86"
 title = "Large cookie Max-Age values can cause a denial of service"
@@ -15,3 +14,6 @@ will panic if the value is greater than 2^64/1000 and less than or equal to
 This flaw was corrected by explicitly checking for the `Max-Age` being in this
 integer range and clamping the value to the maximum duration value.
 """
+
+[versions]
+patched = ["< 0.6.0", "^0.6.2", ">= 0.7.6"]

crates/crossbeam/RUSTSEC-2018-0009.toml

@@ -3,6 +3,8 @@ id = "RUSTSEC-2018-0009"
 package = "crossbeam"
 date = "2018-12-09"
 title = "MsQueue and SegQueue suffer from double-free"
+url = "https://github.com/crossbeam-rs/crossbeam-epoch/issues/82"
+keywords = ["concurrency", "memory-management", "memory-corruption"]
 description = """
 Even if an element is popped from a queue, crossbeam would run its
 destructor inside the epoch-based garbage collector. This is a source
@@ -13,7 +15,7 @@ The flaw was corrected by wrapping elements inside queues in a
 
 Thanks to @c0gent for reporting the issue.
 """
-patched_versions = [">= 0.4.1"]
-unaffected_versions = ["< 0.4.0"]
-url = "https://github.com/crossbeam-rs/crossbeam-epoch/issues/82"
-keywords = ["concurrency", "memory-management", "memory-corruption"]
+
+[versions]
+patched = [">= 0.4.1"]
+unaffected = ["< 0.4.0"]

crates/crust/RUSTSEC-2019-0032.toml

@@ -5,12 +5,14 @@ title = "crust repo has been archived; use libp2p instead"
 informational = "unmaintained"
 date = "2019-11-21"
 url = "https://github.com/maidsafe/crust"
-unaffected_versions = ["> 0.32.1"] # last release
-patched_versions = []
 description = """
 ** The `crust` crate repo was archived with no warning or explanation.**
 
 Given that it was archived with no warning or successor, there's not an
 official replacement but [`rust-libp2p`](https://github.com/libp2p/rust-libp2p)
 looks like it's got a similar feature set and is actively maintained.
 """
+
+[versions]
+unaffected = ["> 0.32.1"] # last release
+patched = []

crates/flatbuffers/RUSTSEC-2019-0028.toml

@@ -1,8 +1,6 @@
 [advisory]
 id = "RUSTSEC-2019-0028"
 package = "flatbuffers"
-patched_versions = []
-unaffected_versions = ["< 0.4.0"]
 date = "2019-10-20"
 url = "https://github.com/google/flatbuffers/issues/5530"
 title = "Unsound `impl Follow for bool`"
@@ -13,5 +11,9 @@ In Rust `bool` has stringent requirements for its in-memory representation. Use
 allows to violate these requirements and invoke undefined behaviour in safe code.
 """
 
-[affected]
-functions = { "flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"] }
+[affected.functions]
+"flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"]
+
+[versions]
+patched = []
+unaffected = ["< 0.4.0"]

crates/generator/RUSTSEC-2019-0020.toml

@@ -3,6 +3,8 @@ id = "RUSTSEC-2019-0020"
 package = "generator"
 date = "2019-09-06"
 title = "fix unsound APIs that could lead to UB"
+url = "https://github.com/Xudong-Huang/generator-rs/issues/9"
+keywords = ["memory-corruption"]
 description = """
 Affected versions of this crate API could use uninitialized memory with some APIs in special
 cases, like use the API in none generator context. This could lead to UB.
@@ -12,6 +14,6 @@ The flaw was corrected by <https://github.com/Xudong-Huang/generator-rs/issues/9
                           <https://github.com/Xudong-Huang/generator-rs/issues/14>                                                  
 This patch fixes all those issues above.
 """
-patched_versions = [">= 0.6.18"]
-url = "https://github.com/Xudong-Huang/generator-rs/issues/9"
-keywords = ["memory-corruption"]
+
+[versions]
+patched = [">= 0.6.18"]

crates/http/RUSTSEC-2019-0033.toml

@@ -3,6 +3,9 @@ id = "RUSTSEC-2019-0033"
 package = "http"
 date = "2019-11-16"
 title = "Integer Overflow in HeaderMap::reserve() can cause Denial of Service"
+url = "https://github.com/hyperium/http/issues/352"
+categories = ["denial-of-service"]
+keywords = ["http", "integer-overflow", "DoS"]
 description = """
 `HeaderMap::reserve()` used `usize::next_power_of_two()` to calculate the increased capacity.
 However, `next_power_of_two()` silently overflows to 0 if given a sufficently large number
@@ -15,10 +18,9 @@ to cause a potential denial of service (DoS).
 
 The flaw was corrected in 0.1.20 release of `http` crate.
 """
-patched_versions = [">= 0.1.20"]
-url = "https://github.com/hyperium/http/issues/352"
-categories = ["denial-of-service"]
-keywords = ["http", "integer-overflow", "DoS"]
 
 [affected.functions]
 "http::header::HeaderMap::reserve" = ["< 0.1.20"]
+
+[versions]
+patched = [">= 0.1.20"]