Properly disclose #148 and #149

[Shnatsel]

Recently reported #148 and #149 are memory safety issues and may be exploitable. They need to be properly disclosed:

1. Identify the affected crate versions
2. Yank vulnerable versions from crates.io
3. File an advisory in https://github.com/RustSec/advisory-db

I have tried to track down the commits that introduced these bugs:

• use-after-free when growing to the same size #148 is caused by 4d02e41 and affects versions 0.6.5 onwards until the fix is landed in 0.6.10
• My testcase points to Using grow to shrink can cause corruption. #149 being introduced in b24b3d2 but that doesn't make sense to me. If I am correct, that would make 0.6.3 and later vulnerable; possibly 0.6.2 as well but there is no 0.6.2 tag in git, so cannot check that.

The testcase I'm using to check for #149 is as follows:

let mut v: SmallVec<[u8; 2]> = SmallVec::new();
v.push(1);
v.push(2);
v.push(3);
assert!(v.spilled());
v.clear();
// Shrink to inline.
v.grow(2);
assert_eq!(v.capacity(), 2);

[Shnatsel]

I can handle the advisories once the affected crate versions are determined

[Shnatsel]

Advisory for #148 is pending: rustsec/advisory-db#119

Still not entirely sure on the affected versions range for #149, but 0.6.3 and onwards are definitely affected, so please yank them.

[dvdplm]

@Shnatsel do you know if the advisories to RustSec find their way into cargo audit automatically or do we need any further action there?

[Shnatsel]

Once the PR for the advisory DB is merged it gets into cargo audit automatically. No further action is needed.

[lucab]

For reference, RustSec advisories are also wired into @dependabot. This is what an automated security bumps looks like: coreos/afterburn#239.

[Phosphorus15]

I've located the commit that introduced issue #149 , i.e. 675221e , in which smallvec::grow started to allow for shrinking back onto the stack. It is also clear that this commit was made after version 0.6.2 from the network graph, also, you'll be able to check version 0.6.2 under revision d41b4eb. (which I've tested to be okay 😉 )

[Shnatsel]

@Phosphorus15 I do not believe commit 675221e is the one - it only modifies benchmarks, not the actual code.

[Shnatsel]

Advisory for #149 is up for review: rustsec/advisory-db#127

[jdm]

Thanks. Sorry for dropping the ball here.

[Shnatsel]

@jdm please yank versions 0.6.3 to 0.6.9 inclusive from crates.io. That way anyone using them will be upgraded to the fixed 0.6.10 automatically. It's the one part I cannot handle by myself.

[jdm]

Done.

[Shnatsel]

Security advisory is merged too, so closing this. Thanks!