Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File standard libary/core vulns (closes RustSec/cargo-audit#46) #146

Merged
merged 1 commit into from
Sep 2, 2019
Merged

File standard libary/core vulns (closes RustSec/cargo-audit#46) #146

merged 1 commit into from
Sep 2, 2019

Conversation

tarcieri
Copy link
Member

@tarcieri tarcieri commented Sep 2, 2019

Files vulnerabilities in the standard library originally reported at:

https://groups.google.com/forum/#!forum/rustlang-security-announcements

Or otherwise collected at:

rustsec/rustsec#46

The rustsec crate doesn't presently consume these, but I'd like to add
support ASAP.

alex
alex reviewed Sep 2, 2019
View reviewed changes
rust/std/CVE-2018-1000810.toml Outdated
patched_versions = [">= 1.29.1"]
unaffected_versions = ["< 1.26.0"]
url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0"
categories = ["dos"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not just a DoS, it's a heap buffer overflow write

Copy link
Member Author

@tarcieri tarcieri Sep 2, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I originally added rce before noticing it's local-only(?), and the current coarse-grained categorization doesn't have a proper category to capture that:

https://github.com/RustSec/rustsec-crate/blob/master/src/advisory/category.rs#L48

But it hasn't shipped yet, so perhaps it should be broadened from rce to the more general (and less jargony) code-execution

@Shnatsel
Copy link
Member

Shnatsel commented Sep 2, 2019

I do not see much value in doing this until we have a story around consuming these. Right now all it would do is require us to manually duplicate Rust CVEs in here and show them on rustsec.org. That sounds like we're signing up for manual work with little or no gain.

@tarcieri
Copy link
Member Author

tarcieri commented Sep 2, 2019

@Shnatsel next step to me is to consume them in the database, but it's a chicken and egg problem writing the code to consume them if they're not in the database to begin with.

My first thought when I actually found the extended descriptions of each vuln was "Wow, that was actually kind of hard to find..."

@tarcieri
Copy link
Member Author

tarcieri commented Sep 2, 2019

Another couple thoughts on this:

  • All of these advisories are written in Markdown, but I don't think there exists a Markdown rendering of them anywhere?
  • The VecDeque vulnerability (CVE-2018-1000657) never received such a writeup for whatever reason, despite being one of the most severe so far

@tarcieri
File standard libary/core vulns (closes rustsec/rustsec#46)
58db1ee 
Files vulnerabilities in the standard library originally reported at:

https://groups.google.com/forum/#!forum/rustlang-security-announcements

Or otherwise collected at:

rustsec/rustsec#46

The `rustsec` crate doesn't presently consume these, but I'd like to add
support ASAP.
@tarcieri
Copy link
Member Author

tarcieri commented Sep 2, 2019
edited
Loading

Merging this with the initial goals of being able to load these in the rustsec crate's database and provide more discoverable Markdown renderings of them on https://rustsec.org.

I think these are low volume and low effort to import to the point that they won't cause undue burden.

@tarcieri tarcieri merged commit 6e03d3c into master Sep 2, 2019
@tarcieri tarcieri deleted the rust-lang-vulns branch September 2, 2019 17:12
@tarcieri tarcieri mentioned this pull request Sep 8, 2019
Closed
@tarcieri
Copy link
Member Author

tarcieri commented Sep 8, 2019
edited
Loading

These are now rendered on https://rustsec.org (which is, I think, the only place the original markdown for these advisories is rendered online?):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex alex alex left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tarcieri @Shnatsel @alex