Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

rust-crossbeam-deque: CVE-2021-32810

Related Vulnerabilities: CVE-2021-32810  

Source

Debian Bug report logs - #993146
rust-crossbeam-deque: CVE-2021-32810

version graph

Package: src:rust-crossbeam-deque; Maintainer for src:rust-crossbeam-deque is Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Fri, 27 Aug 2021 21:15:01 UTC

Severity: important

Tags: security

Fixed in version rust-crossbeam-deque/0.7.4-1

Done: Peter Michael Green <plugwash@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>:
Bug#993146; Package src:rust-crossbeam-deque. (Fri, 27 Aug 2021 21:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>. (Fri, 27 Aug 2021 21:15:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: rust-crossbeam-deque: CVE-2021-32810
Date: Fri, 27 Aug 2021 23:11:55 +0200
Source: rust-crossbeam-deque
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for rust-crossbeam-deque.

CVE-2021-32810[0]:
| crossbeam-deque is a package of work-stealing deques for building task
| schedulers when programming in Rust. In versions prior to 0.7.4 and
| 0.8.0, the result of the race condition is that one or more tasks in
| the worker queue can be popped twice instead of other tasks that are
| forgotten and never popped. If tasks are allocated on the heap, this
| can cause double free and a memory leak. If not, this still can cause
| a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`,
| or `Stealer::steal_batch_and_pop` are affected by this issue. This has
| been fixed in crossbeam-deque 0.8.1 and 0.7.4.

https://rustsec.org/advisories/RUSTSEC-2021-0093.html

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32810
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32810

Please adjust the affected versions in the BTS as needed.

Reply sent to Peter Michael Green <plugwash@debian.org>:
You have taken responsibility. (Sat, 28 Aug 2021 07:39:04 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 28 Aug 2021 07:39:04 GMT) (full text, mbox, link).

Message #10 received at 993146-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 993146-close@bugs.debian.org
Subject: Bug#993146: fixed in rust-crossbeam-deque 0.7.4-1
Date: Sat, 28 Aug 2021 07:34:01 +0000
Source: rust-crossbeam-deque
Source-Version: 0.7.4-1
Done: Peter Michael Green <plugwash@debian.org>

We believe that the bug you reported is fixed in the latest version of
rust-crossbeam-deque, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 993146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Michael Green <plugwash@debian.org> (supplier of updated rust-crossbeam-deque package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 28 Aug 2021 07:13:50 +0000
Source: rust-crossbeam-deque
Architecture: source
Version: 0.7.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
Changed-By: Peter Michael Green <plugwash@debian.org>
Closes: 993146
Changes:
 rust-crossbeam-deque (0.7.4-1) unstable; urgency=medium
 .
   * Team upload.
   * Package crossbeam-deque 0.7.4 from crates.io using debcargo 2.4.4
     - new upstream version fixes CVE-2021-32810 (Closes: 993146)
   * Bump dev-dependency on rand so autopkgtest can run.
Checksums-Sha1:
 221ec9f8780f18971cf23eb54add2c1cf6e00063 2512 rust-crossbeam-deque_0.7.4-1.dsc
 ebc2733842b3b4ec48d07d169dbd6d25f056bca8 19868 rust-crossbeam-deque_0.7.4.orig.tar.gz
 363ff3fbadcd02336d13a1d4fa39a88b2bc16e07 3016 rust-crossbeam-deque_0.7.4-1.debian.tar.xz
 688a894c6da82b579687d8481e4c867771177fb3 7605 rust-crossbeam-deque_0.7.4-1_source.buildinfo
Checksums-Sha256:
 b1f34f534565abc03f3ee2c9acd12c79350f49eba56661f04f6cf7c22cfb55de 2512 rust-crossbeam-deque_0.7.4-1.dsc
 c20ff29ded3204c5106278a81a38f4b482636ed4fa1e6cfbeef193291beb29ed 19868 rust-crossbeam-deque_0.7.4.orig.tar.gz
 c53c55567b7aa3f9ff69cda0edba1488b3b08fcf56275bb875a6ef20960b21a1 3016 rust-crossbeam-deque_0.7.4-1.debian.tar.xz
 dc4b93785b56ca00c652525e7708ac9af9dafc0f86bf3709401ba8740a5378dc 7605 rust-crossbeam-deque_0.7.4-1_source.buildinfo
Files:
 d047d2ab769c19d590d2e6f76ff44303 2512 rust optional rust-crossbeam-deque_0.7.4-1.dsc
 372d983bc911b6099ad1b8ed6087604f 19868 rust optional rust-crossbeam-deque_0.7.4.orig.tar.gz
 54789fa4557286726311c9ec9842d810 3016 rust optional rust-crossbeam-deque_0.7.4-1.debian.tar.xz
 ba2ab52cc7c6efd7922100e84a6cf20b 7605 rust optional rust-crossbeam-deque_0.7.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmEp4xoUHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XtxAA/+KEbCq2/ISD7hum8dPwkCETzKLx5L
Y8K6J51yDvZ4nXw7tsNJnVtZjZxpO9aIbOHc1ELr6snBbn2/kPge7eZm8aPYJsNT
i47VVcrnRGLWQM7wKrRKmjPhnyHQvhaJni6NJ6DWLHtpSC+phjyDasagguqPBMfJ
XIkpX2ZppvHt1zuFVzTyVNzQVCEVlinVIjBRTXFkFEf6LuNJ/O7PUYmFA+JXGPSB
LtSsyVSOQ3KVyveC8I8Sjq9+FfhbPMZNiAmzYpcE52If/uv8R8XdMg3LLhYet6pL
dIW22q+lQ+t1CsNTHueUFhZjfBNRgum3YMTUpSxIxg7tmJ66VgVC+ZRf8KaAFdhS
/M6+oO0OKrPCXog3FU5S9WuPW7IANOfvA6lswOfw+F6+8aGKkzVMizHXj++tLDJ5
8/7I5lNaMpBaJ/UVrwX8HKdNUp3pJ2mk2R3YVgQsLPf92elvhAVHPTQ2BYCKdx7e
nuNWDdISykKCDW+CMG4Hd11n9voILVtayvzVYhjx9AUTGtHQq0Ou1yz4x73UnXVx
Rv7gbSGaZb1If9r8BYprLEsCOrXOiD4hwjWSTtknAWnRmwmn/YLHgP0CeAb1Wk/S
r6wauR9PqcdOkxbqOOd2F3K5D229v/X0MKRygJ405nICrGK7RlottNXlPLti8iwu
q1AB+h4nAe1XH3s=
=CK3M
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Aug 28 08:34:38 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started