bug#47542: rust-stackvector package is vulnerable to CVE-2021-29939

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47542: rust-stackvector package is vulnerable to CVE-2021-29939

From:	zimoun
Subject:	bug#47542: rust-stackvector package is vulnerable to CVE-2021-29939
Date:	Mon, 28 Jun 2021 10:06:10 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Hi,

On Thu, 01 Apr 2021 at 15:47, Léo Le Bouter <lle-bout@zaclys.net> wrote:
> CVE-2021-29939        07:15
> An issue was discovered in the stackvector crate through 2021-02-19 for
> Rust. There is an out-of-bounds write in StackVec::extend if size_hint
> provides certain anomalous data.
>
> No fix released upstream yet:
> https://github.com/Alexhuszagh/rust-stackvector/issues/2
>
> Out of bounds write sounds like it could have dangerous consequences,
> not sure how likely is "size_hint provides certain anomalous data"
> though.

Thanks for the report.

Commit 015cd2e86e779907085d356c69b6091dc8ac1788 updating to 1.1.1 should
fix the security issue; as upstream said.  So, closing.

All the best,
simon

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47542: rust-stackvector package is vulnerable to CVE-2021-29939, zimoun <=

Prev by Date: bug#48715: guix pull does not complete
Next by Date: bug#49168: ‘guix import pypi’ misses package dependencies
Previous by thread: bug#22304: Build for Julia is not reproducible
Next by thread: bug#49262: Crash in hurd-vm service when invoking 'herd restart networking'
Index(es):
- Date
- Thread