GNU bug report logs

#47544 rust-slice-deque is vulnerable to CVE-2021-29938

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #10 received at 47544@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47544) by debbugs.gnu.org; 23 Mar 2022 02:39:20 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 22 22:39:20 2022
Received: from localhost ([127.0.0.1]:42295 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nWqu7-0000o3-RO
	for submit@debbugs.gnu.org; Tue, 22 Mar 2022 22:39:20 -0400
Received: from mail-qv1-f52.google.com ([209.85.219.52]:36702)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1nWqu6-0000nq-E2
 for 47544@debbugs.gnu.org; Tue, 22 Mar 2022 22:39:18 -0400
Received: by mail-qv1-f52.google.com with SMTP id kc20so310583qvb.3
 for <47544@debbugs.gnu.org>; Tue, 22 Mar 2022 19:39:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version:content-transfer-encoding;
 bh=VX0iAcDhsjnhMq/+vq5QJQOLhQIF7NNIOGGQ6++vOp4=;
 b=lsljRAdX6FdwN/qrxDKTZyOIEgKIyZFGrtjQj19p0IHHP9dIzENjifS6z5FXHiuJxG
 CgMMJzlw67J13ugNoRbI6/NfoCRabpb7X5vs5U00Ogx36I5BgjusHXzkrOUtvbIhy8kb
 D2bN/bTIngVL34YfzAqQM3g8o4WTn/uf4Rnnavzvi1GNp3dMEOQOH9MMSzNs5jlnRzZX
 jnt789BPn0gg2pxAd3oOKXHMpCLhfGrCVDct3Do2dfjH8ZhGAa/DAbdMxBp0bnbtgTVw
 OgMqW+GacRZ8nXV18uZ5Hpu8LgrIfF6V3kNA4Tc7bhC2BC3v4zyXYXP4d2Gjdc6mv/6F
 Sgqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version:content-transfer-encoding;
 bh=VX0iAcDhsjnhMq/+vq5QJQOLhQIF7NNIOGGQ6++vOp4=;
 b=ngOR11hxPo8cXjtSzUvmYKvgsIO/afA4XYpu+9V5mtxZAUew9YO8M1yxDfZhAq8G8D
 6QYzBWDsz1el0W2KqFEo6ymj4/4hoyWZumOyOEHYMJ92tRdpa63WYHqYvRVFeFKtxZe0
 0iAg3Q/ZFLIirixziZv+FTzJLRP+w7LGKG05TfrlAsYXRdhjvdGBwrciLSfwPLyvLlP2
 LulMyszSKUstl7pc0rs8tIUSqxmv/jF1eHPNW9+ubhXRpPRoUzSW2BJpQx3Jd1LJ9TWE
 t8ToScdJeX5KYl80j6laD3UCikXhVdkGhi10kSm0062aRJBGGOvQnZfxxOqvxUFqifaT
 3rkA==
X-Gm-Message-State: AOAM5336hBTPtnoFZ2Ul48WnqQS1i5EEKYNhjuhxBpoxOn6VwUAfvG9l
 SXqZq5DY+HZMbMUW7CjLOiyJ9uXxTqE=
X-Google-Smtp-Source: ABdhPJwnF5y9iCp/1+MeYn+JVFTZ1MstZ6WFTwCUF+hMAd4Dq3sttYvlqrDPcI6S1tZv0bhyYfPtaQ==
X-Received: by 2002:a05:6214:4111:b0:440:ce1e:831f with SMTP id
 kc17-20020a056214411100b00440ce1e831fmr22146803qvb.56.1648003152777; 
 Tue, 22 Mar 2022 19:39:12 -0700 (PDT)
Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199])
 by smtp.gmail.com with ESMTPSA id
 b202-20020ae9ebd3000000b0067b11d53365sm9909458qkg.47.2022.03.22.19.39.11
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 22 Mar 2022 19:39:12 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>
Subject: Re: bug#47544: rust-slice-deque is vulnerable to CVE-2021-29938
References: <3e2016e62239d2039e48c945a6b6a982c09e3f5f.camel@zaclys.net>
Date: Tue, 22 Mar 2022 22:39:11 -0400
In-Reply-To: <3e2016e62239d2039e48c945a6b6a982c09e3f5f.camel@zaclys.net>
 ("Léo
 Le Bouter"'s message of "Thu, 01 Apr 2021 16:08:47 +0200")
Message-ID: <87v8w5z92o.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 47544
Cc: 47544@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-29938	07:15
> An issue was discovered in the slice-deque crate through 2021-02-19 for
> Rust. A double drop can occur in SliceDeque::drain_filter upon a panic
> in a predicate function.
>
> Upstream PR: https://github.com/gnzlbg/slice_deque/pull/91

The project appears unmaintained [0].

[0]  https://github.com/gnzlbg/slice_deque/issues/94.

It's used by a couple other packages (how many?  hard to tell, this
being Rust in Guix).

Thanks,

Maxim

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 18:35:38 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.