GNU bug report logs

#47544 rust-slice-deque is vulnerable to CVE-2021-29938

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#47544; Package guix. (Thu, 01 Apr 2021 14:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Léo Le Bouter <lle-bout@zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Thu, 01 Apr 2021 14:09:03 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Subject: rust-slice-deque is vulnerable to CVE-2021-29938
Date: Thu, 01 Apr 2021 16:08:47 +0200
[Message part 1 (text/plain, inline)]
CVE-2021-29938	07:15
An issue was discovered in the slice-deque crate through 2021-02-19 for
Rust. A double drop can occur in SliceDeque::drain_filter upon a panic
in a predicate function.

Upstream PR: https://github.com/gnzlbg/slice_deque/pull/91

I suggest we wait for merge then update our package.

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout@zaclys.net> to control@debbugs.gnu.org. (Thu, 01 Apr 2021 14:10:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#47544; Package guix. (Wed, 23 Mar 2022 02:40:01 GMT) (full text, mbox, link).

Message #10 received at 47544@debbugs.gnu.org (full text, mbox, reply):

From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>
Cc: 47544@debbugs.gnu.org
Subject: Re: bug#47544: rust-slice-deque is vulnerable to CVE-2021-29938
Date: Tue, 22 Mar 2022 22:39:11 -0400
Hello,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-29938	07:15
> An issue was discovered in the slice-deque crate through 2021-02-19 for
> Rust. A double drop can occur in SliceDeque::drain_filter upon a panic
> in a predicate function.
>
> Upstream PR: https://github.com/gnzlbg/slice_deque/pull/91

The project appears unmaintained [0].

[0]  https://github.com/gnzlbg/slice_deque/issues/94.

It's used by a couple other packages (how many?  hard to tell, this
being Rust in Guix).

Thanks,

Maxim

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 13:06:39 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.