Debian Bug report logs -
#906585
rustc: Backport the fix for Rust#44800 to stretch (CVE-2018-1000657)
Reported by: Nicolas Braud-Santoni <nicoo@debian.org>
Date: Sat, 18 Aug 2018 21:18:47 UTC
Severity: important
Tags: security, stretch
Found in version rustc/1.14.0+dfsg1-3
Fixed in versions rustc/1.22.1+dfsg1-1, 1.24.1+dfsg1-1~deb9u4
Done: Andreas Beckmann <anbe@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, infinity0@debian.org, shnatsel@gmail.com, team@security.debian.org, Rust Maintainers <pkg-rust-maintainers@lists.alioth.debian.org>:
Bug#906585; Package src:rustc.
(Sat, 18 Aug 2018 21:18:49 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas Braud-Santoni <nicolas@braud-santoni.eu>:
New Bug report received and forwarded. Copy sent to infinity0@debian.org, shnatsel@gmail.com, team@security.debian.org, Rust Maintainers <pkg-rust-maintainers@lists.alioth.debian.org>.
(Sat, 18 Aug 2018 21:18:49 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: rustc
Version: 1.14.0+dfsg1-3
Severity: important
Tags: security stretch
Hi,
Sergey (in CC) recently pointed out [0] that we are still shipping in Stretch
i386 a version of the VecDeque (from the Rust stdlib) that can perform invalid
out-of-bounds writes:
https://github.com/rust-lang/rust/issues/44800
This is very likely exploitable (attacker-controlled data is written outside
the buffer), and we (the rust team) think it would be worth fixing ASAP.
Thankfully, there is already a more recent version for amd64 in stretch, and
1.24.1+dfsg1-1~deb9u3 is already in stretch-pu for i386 (plus a bunch of
architectures which did not previously have rustc). The fix first appeared in
upstream release 1.21.0 (Oct 2017).
Would it be possible to turn it into a security upload, along with a binNMU of
all packages that were built with rustc (<< 1.24.1) ?
@Sergey: Thanks a lot for dedicating some of your time and energy to finding
security issues in the Rust ecosystem, it is highly appreciated. :3
Best,
nicoo
[0]: https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Rust Maintainers <pkg-rust-maintainers@lists.alioth.debian.org>:
Bug#906585; Package src:rustc.
(Sun, 19 Aug 2018 10:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rust Maintainers <pkg-rust-maintainers@lists.alioth.debian.org>.
(Sun, 19 Aug 2018 10:15:03 GMT) (full text, mbox, link).
Message #10 received at 906585@bugs.debian.org (full text, mbox, reply):
On Sat, Aug 18, 2018 at 03:19:46PM +0200, Nicolas Braud-Santoni wrote:
> Source: rustc
> Version: 1.14.0+dfsg1-3
> Severity: important
> Tags: security stretch
>
> Hi,
>
> Sergey (in CC) recently pointed out [0] that we are still shipping in Stretch
> i386 a version of the VecDeque (from the Rust stdlib) that can perform invalid
> out-of-bounds writes:
>
> https://github.com/rust-lang/rust/issues/44800
>
> This is very likely exploitable (attacker-controlled data is written outside
> the buffer), and we (the rust team) think it would be worth fixing ASAP.
>
>
> Thankfully, there is already a more recent version for amd64 in stretch, and
> 1.24.1+dfsg1-1~deb9u3 is already in stretch-pu for i386 (plus a bunch of
> architectures which did not previously have rustc). The fix first appeared in
> upstream release 1.21.0 (Oct 2017).
>
> Would it be possible to turn it into a security upload, along with a binNMU of
> all packages that were built with rustc (<< 1.24.1) ?
1.24 will reach stretch via the next 9.5 point release. I don't see any
need to expedite this. Do we actually have any application in stretch yet which
is written in Rust?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Rust Maintainers <pkg-rust-maintainers@lists.alioth.debian.org>:
Bug#906585; Package src:rustc.
(Tue, 21 Aug 2018 02:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Angus Lees <gus@debian.org>:
Extra info received and forwarded to list. Copy sent to Rust Maintainers <pkg-rust-maintainers@lists.alioth.debian.org>.
(Tue, 21 Aug 2018 02:30:03 GMT) (full text, mbox, link).
Message #15 received at 906585@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 19 Aug 2018 at 20:39 Moritz Mühlenhoff <jmm@inutil.org> wrote:
> On Sat, Aug 18, 2018 at 03:19:46PM +0200, Nicolas Braud-Santoni wrote:
> > Would it be possible to turn it into a security upload, along with a
> binNMU of
> > all packages that were built with rustc (<< 1.24.1) ?
>
> 1.24 will reach stretch via the next 9.5 point release. I don't see any
> need to expedite this. Do we actually have any application in stretch yet
> which
> is written in Rust?
>
No, not in stretch (other than the rustc/libstd-rust toolchain itself).
- Gus
[Message part 2 (text/html, inline)]
Changed Bug title to 'rustc: Backport the fix for Rust#44800 to stretch (CVE-2018-1000657)' from 'rustc: Backport the fix for Rust#44800 to stretch'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 23 Aug 2018 06:39:04 GMT) (full text, mbox, link).
Marked as fixed in versions rustc/1.22.1+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 23 Aug 2018 06:39:05 GMT) (full text, mbox, link).
Changed Bug submitter to 'Nicolas Braud-Santoni <nicoo@debian.org>' from 'Nicolas Braud-Santoni <nicolas@braud-santoni.eu>'.
Request was from Nicolas Braud-Santoni <nicoo@debian.org>
to control@bugs.debian.org.
(Thu, 15 Nov 2018 18:12:10 GMT) (full text, mbox, link).
Reply sent
to Andreas Beckmann <anbe@debian.org>:
You have taken responsibility.
(Sat, 04 May 2019 09:21:03 GMT) (full text, mbox, link).
Notification sent
to Nicolas Braud-Santoni <nicoo@debian.org>:
Bug acknowledged by developer.
(Sat, 04 May 2019 09:21:03 GMT) (full text, mbox, link).
Message #26 received at 906585-done@bugs.debian.org (full text, mbox, reply):
Version: 1.24.1+dfsg1-1~deb9u4
On Sun, 19 Aug 2018 12:04:25 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
<jmm@inutil.org> wrote:
> 1.24 will reach stretch via the next 9.5 point release. I don't see any
which happened some time ago
Andreas
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2019 07:26:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:41:50 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon