Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tiny-http Request Smuggling #355

Merged
merged 2 commits into from Aug 21, 2020
Merged

Add tiny-http Request Smuggling #355

merged 2 commits into from Aug 21, 2020

Conversation

snoopysecurity
Copy link
Contributor

Reopening this to add the RustSecDB, initially was hoping for a patch before making this into an advisory

Shnatsel
Shnatsel approved these changes Aug 21, 2020
View reviewed changes
Copy link
Member

@Shnatsel Shnatsel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the report! I've left one nit, other than that LGTM

crates/tiny_http/RUSTSEC-2020-0000.toml Outdated
date = "2020-06-16"
title = "HTTP Request smuggling through malformed Transfer Encoding headers"
url = "https://github.com/tiny-http/tiny-http/issues/173"
categories = ["format-injection"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think "format injection" is quite correct; we do not seem to have a proper category for this.

I suppose we should eventually transition to CWE, but in the meanwhile it's probably best to just drop the category field here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah agreed, this is an injection vulnerability, but the format-injection category is more precisely intended for "format string injection" vulnerabilities.

Also agreed it'd be nice to implement CWE.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, CWE would be nice

@Shnatsel Shnatsel merged commit 50e585f into rustsec:master Aug 21, 2020
@scooter-dangle
Copy link

@Shnatsel, I'm sorry if this is a dumb question, but are there recommendations for what to do with a vulnerability before it gets a non-zero number? I got a local cargo audit failure on a project but couldn't find any information on RUSTSEC-2020-0000. Is it just a matter of lag until a maintainer has a chance to manually set up the URL and other related info?

@alex
Copy link
Member

alex commented Aug 21, 2020

@scooter-dangle I've fixed this -- it was a bug that this was assigned 2020-0000, it should have been assigned 0000-0000 so our auto ID assignment script noticed it.

@scooter-dangle
Copy link

scooter-dangle commented Aug 21, 2020
edited

Thanks, @alex!

HeroicKatora pushed a commit to HeroicKatora/advisory-db that referenced this pull request Nov 20, 2020
@roy-work
Correct affected version range on RUSTSEC-2019-003[34] to patched at …
200651c 
…0.1.20

I believe these two vulnerabilities were patched at 0.1.20.

For RUSTSEC-2019-0033:

The advisory links to the bug: hyperium/http#352
In that bug, the fixing PR was hyperium/http#360
That PR merged the commit 81ceb61 to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][1]).

[1]: hyperium/http@81ceb61

For RUSTSEC-2019-0034:

This advisory is two separate GitHub issues against `HeaderMap::drain`,
http rustsec#354 and http rustsec#355.

For the first: the issue: hyperium/http#354
In that bug, the fixing PR was hyperium/http#357
That PR merged the commit 82d53db to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][2]).

[2]: hyperium/http@82d53db

For the second: the issue: hyperium/http#355
In that bug, the fixing PR was hyperium/http#362
That PR merged the commit 8ffe094 to fix the bug; that commit, according to
GitHub, was first picked up by tag v0.1.20 ([commit][3]).

[3]: hyperium/http@8ffe094
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarcieri tarcieri tarcieri left review comments

@Shnatsel Shnatsel Shnatsel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@snoopysecurity @scooter-dangle @alex @tarcieri @Shnatsel