Debian Bug report logs -
#993146
rust-crossbeam-deque: CVE-2021-32810
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 27 Aug 2021 21:15:01 UTC
Severity: important
Tags: security
Fixed in version rust-crossbeam-deque/0.7.4-1
Done: Peter Michael Green <plugwash@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
:
Bug#993146
; Package src:rust-crossbeam-deque
.
(Fri, 27 Aug 2021 21:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
.
(Fri, 27 Aug 2021 21:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rust-crossbeam-deque
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for rust-crossbeam-deque.
CVE-2021-32810[0]:
| crossbeam-deque is a package of work-stealing deques for building task
| schedulers when programming in Rust. In versions prior to 0.7.4 and
| 0.8.0, the result of the race condition is that one or more tasks in
| the worker queue can be popped twice instead of other tasks that are
| forgotten and never popped. If tasks are allocated on the heap, this
| can cause double free and a memory leak. If not, this still can cause
| a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`,
| or `Stealer::steal_batch_and_pop` are affected by this issue. This has
| been fixed in crossbeam-deque 0.8.1 and 0.7.4.
https://rustsec.org/advisories/RUSTSEC-2021-0093.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32810
Please adjust the affected versions in the BTS as needed.
Reply sent
to Peter Michael Green <plugwash@debian.org>
:
You have taken responsibility.
(Sat, 28 Aug 2021 07:39:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Sat, 28 Aug 2021 07:39:04 GMT) (full text, mbox, link).
Message #10 received at 993146-close@bugs.debian.org (full text, mbox, reply):
Source: rust-crossbeam-deque
Source-Version: 0.7.4-1
Done: Peter Michael Green <plugwash@debian.org>
We believe that the bug you reported is fixed in the latest version of
rust-crossbeam-deque, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 993146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Michael Green <plugwash@debian.org> (supplier of updated rust-crossbeam-deque package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 28 Aug 2021 07:13:50 +0000
Source: rust-crossbeam-deque
Architecture: source
Version: 0.7.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
Changed-By: Peter Michael Green <plugwash@debian.org>
Closes: 993146
Changes:
rust-crossbeam-deque (0.7.4-1) unstable; urgency=medium
.
* Team upload.
* Package crossbeam-deque 0.7.4 from crates.io using debcargo 2.4.4
- new upstream version fixes CVE-2021-32810 (Closes: 993146)
* Bump dev-dependency on rand so autopkgtest can run.
Checksums-Sha1:
221ec9f8780f18971cf23eb54add2c1cf6e00063 2512 rust-crossbeam-deque_0.7.4-1.dsc
ebc2733842b3b4ec48d07d169dbd6d25f056bca8 19868 rust-crossbeam-deque_0.7.4.orig.tar.gz
363ff3fbadcd02336d13a1d4fa39a88b2bc16e07 3016 rust-crossbeam-deque_0.7.4-1.debian.tar.xz
688a894c6da82b579687d8481e4c867771177fb3 7605 rust-crossbeam-deque_0.7.4-1_source.buildinfo
Checksums-Sha256:
b1f34f534565abc03f3ee2c9acd12c79350f49eba56661f04f6cf7c22cfb55de 2512 rust-crossbeam-deque_0.7.4-1.dsc
c20ff29ded3204c5106278a81a38f4b482636ed4fa1e6cfbeef193291beb29ed 19868 rust-crossbeam-deque_0.7.4.orig.tar.gz
c53c55567b7aa3f9ff69cda0edba1488b3b08fcf56275bb875a6ef20960b21a1 3016 rust-crossbeam-deque_0.7.4-1.debian.tar.xz
dc4b93785b56ca00c652525e7708ac9af9dafc0f86bf3709401ba8740a5378dc 7605 rust-crossbeam-deque_0.7.4-1_source.buildinfo
Files:
d047d2ab769c19d590d2e6f76ff44303 2512 rust optional rust-crossbeam-deque_0.7.4-1.dsc
372d983bc911b6099ad1b8ed6087604f 19868 rust optional rust-crossbeam-deque_0.7.4.orig.tar.gz
54789fa4557286726311c9ec9842d810 3016 rust optional rust-crossbeam-deque_0.7.4-1.debian.tar.xz
ba2ab52cc7c6efd7922100e84a6cf20b 7605 rust optional rust-crossbeam-deque_0.7.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmEp4xoUHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XtxAA/+KEbCq2/ISD7hum8dPwkCETzKLx5L
Y8K6J51yDvZ4nXw7tsNJnVtZjZxpO9aIbOHc1ELr6snBbn2/kPge7eZm8aPYJsNT
i47VVcrnRGLWQM7wKrRKmjPhnyHQvhaJni6NJ6DWLHtpSC+phjyDasagguqPBMfJ
XIkpX2ZppvHt1zuFVzTyVNzQVCEVlinVIjBRTXFkFEf6LuNJ/O7PUYmFA+JXGPSB
LtSsyVSOQ3KVyveC8I8Sjq9+FfhbPMZNiAmzYpcE52If/uv8R8XdMg3LLhYet6pL
dIW22q+lQ+t1CsNTHueUFhZjfBNRgum3YMTUpSxIxg7tmJ66VgVC+ZRf8KaAFdhS
/M6+oO0OKrPCXog3FU5S9WuPW7IANOfvA6lswOfw+F6+8aGKkzVMizHXj++tLDJ5
8/7I5lNaMpBaJ/UVrwX8HKdNUp3pJ2mk2R3YVgQsLPf92elvhAVHPTQ2BYCKdx7e
nuNWDdISykKCDW+CMG4Hd11n9voILVtayvzVYhjx9AUTGtHQq0Ou1yz4x73UnXVx
Rv7gbSGaZb1If9r8BYprLEsCOrXOiD4hwjWSTtknAWnRmwmn/YLHgP0CeAb1Wk/S
r6wauR9PqcdOkxbqOOd2F3K5D229v/X0MKRygJ405nICrGK7RlottNXlPLti8iwu
q1AB+h4nAe1XH3s=
=CK3M
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Aug 28 08:34:38 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.