{ "advisory": { "id": "RUSTSEC-2020-0159", "package": "chrono", "title": "Potential segfault in `localtime_r` invocations", "description": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\n### Workarounds\n\nNo workarounds are known.\n\n### References\n\n- [time-rs/time#293](https://github.com/time-rs/time/issues/293)", "date": "2020-11-10", "aliases": [], "related": [ "CVE-2020-26235", "RUSTSEC-2020-0071" ], "collection": "crates", "categories": [ "code-execution", "memory-corruption" ], "keywords": [ "segfault" ], "cvss": null, "informational": null, "url": "https://github.com/chronotope/chrono/issues/499", "references": [], "withdrawn": null }, "versions": { "patched": [], "unaffected": [] }, "affected": null, "package": { "name": "chrono", "version": "0.4.19", "source": "registry+https://github.com/rust-lang/crates.io-index", "checksum": "670ad68c9088c2a963aaa298cb369688cf3f9465ce5e2d4ca10e6e0098a1ce73", "dependencies": [ { "name": "libc", "version": "0.2.121", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "num-integer", "version": "0.1.44", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "num-traits", "version": "0.2.14", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "pure-rust-locales", "version": "0.5.6", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "serde", "version": "1.0.136", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "time", "version": "0.1.43", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "winapi", "version": "0.3.9", "source": null } ], "replace": null } } { "advisory": { "id": "RUSTSEC-2021-0119", "package": "nix", "title": "Out-of-bounds write in nix::unistd::getgrouplist", "description": "On certain platforms, if a user has more than 16 groups, the\n`nix::unistd::getgrouplist` function will call the libc `getgrouplist`\nfunction with a length parameter greater than the size of the buffer it\nprovides, resulting in an out-of-bounds write and memory corruption.\n\nThe libc `getgrouplist` function takes an in/out parameter `ngroups`\nspecifying the size of the group buffer. When the buffer is too small to\nhold all of the reqested user's group memberships, some libc\nimplementations, including glibc and Solaris libc, will modify `ngroups`\nto indicate the actual number of groups for the user, in addition to\nreturning an error. The version of `nix::unistd::getgrouplist` in nix\n0.16.0 and up will resize the buffer to twice its size, but will not\nread or modify the `ngroups` variable. Thus, if the user has more than\ntwice as many groups as the initial buffer size of 8, the next call to\n`getgrouplist` will then write past the end of the buffer.\n\nThe issue would require editing /etc/groups to exploit, which is usually\nonly editable by the root user.", "date": "2021-09-27", "aliases": [], "related": [], "collection": "crates", "categories": [ "memory-corruption" ], "keywords": [ "nss" ], "cvss": null, "informational": null, "url": "https://github.com/nix-rust/nix/issues/1541", "references": [], "withdrawn": null }, "versions": { "patched": [ "^0.20.2", "^0.21.2", "^0.22.2", ">=0.23.0" ], "unaffected": [ "<0.16.0" ] }, "affected": { "arch": [], "os": [ "linux", "freebsd", "android", "netbsd", "dragonfly", "openbsd", "fuchsia" ], "functions": { "nix::unistd::getgrouplist": [ ">=0.16.0" ] } }, "package": { "name": "nix", "version": "0.19.1", "source": "registry+https://github.com/rust-lang/crates.io-index", "checksum": "b2ccba0cfe4fdf15982d1674c69b1fd80bad427d293849982668dfe454bd61f2", "dependencies": [ { "name": "bitflags", "version": "1.3.2", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "cc", "version": "1.0.73", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "cfg-if", "version": "1.0.0", "source": null }, { "name": "libc", "version": "0.2.121", "source": "registry+https://github.com/rust-lang/crates.io-index" } ], "replace": null } } { "advisory": { "id": "RUSTSEC-2020-0071", "package": "time", "title": "Potential segfault in the time crate", "description": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nNo workarounds are known.\n\n### References\n\ntime-rs/time#293", "date": "2020-11-18", "aliases": [ "CVE-2020-26235" ], "related": [], "collection": "crates", "categories": [ "code-execution", "memory-corruption" ], "keywords": [ "segfault" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "url": "https://github.com/time-rs/time/issues/293", "references": [], "withdrawn": null }, "versions": { "patched": [ ">=0.2.23" ], "unaffected": [ "=0.2.0", "=0.2.1", "=0.2.2", "=0.2.3", "=0.2.4", "=0.2.5", "=0.2.6" ] }, "affected": { "arch": [], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ], "functions": { "time::OffsetDateTime::now_local": [ "<0.2.23" ], "time::OffsetDateTime::try_now_local": [ "<0.2.23" ], "time::UtcOffset::current_local_offset": [ "<0.2.23" ], "time::UtcOffset::local_offset_at": [ "<0.2.23" ], "time::UtcOffset::try_current_local_offset": [ "<0.2.23" ], "time::UtcOffset::try_local_offset_at": [ "<0.2.23" ], "time::at": [ "^0.1" ], "time::at_utc": [ "^0.1" ], "time::now": [ "^0.1" ] } }, "package": { "name": "time", "version": "0.1.43", "source": "registry+https://github.com/rust-lang/crates.io-index", "checksum": "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438", "dependencies": [ { "name": "libc", "version": "0.2.121", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "winapi", "version": "0.3.9", "source": null } ], "replace": null } } { "advisory": { "id": "RUSTSEC-2021-0019", "package": "xcb", "title": "Multiple soundness issues", "description": "## Calls `std::str::from_utf8_unchecked()` without any checks\n\nThe function `xcb::xproto::GetAtomNameReply::name()` calls\n`std::str::from_utf8_unchecked()` on the raw bytes that were received from the\nX11 server without any validity checks. The X11 server only prevents interior\nnull bytes, but otherwise allows any X11 client to create an atom for arbitrary\nbytes.\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/96\n\n## `xcb::xproto::GetPropertyReply::value()` allows arbitrary return types\n\nThe function `xcb::xproto::GetPropertyReply::value()` returns a slice of type\n`T` where `T` is an unconstrained type parameter. The raw bytes received from\nthe X11 server are interpreted as the requested type.\n\nThe users of the `xcb` crate are advised to only call this function with the\nintended types. These are `u8`, `u16`, and `u32`.\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/95\n\n## Out of bounds read in `xcb::xproto::change_property()`\n\n`xcb::xproto::change_property` has (among others) the arguments `format: u8` and\n`data: &[T]`. The intended use is one of the following cases:\n- `format = 8` and `T = u8`\n- `format = 16` and `T = u16`\n- `format = 32` and `T = u32`\nHowever, this constraint is not enforced. For example, it is possible to call\nthe function with `format = 32` and `T = u8`. In this case, a read beyond the\nend of the `data` slice is performed and the bytes are sent to the X11 server.\n\nThe users of the `xcb` crate are advised to only call this function with one of\nthe intended argument combinations.\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/94\n\n## 'Safe' wrapper around `std::mem::transmute()`\n\nThe function `xcb::base::cast_event()` takes a reference to a\n`xcb::base::GenericEvent` and returns a reference to an arbitrary type, as\nrequested by the caller (or found via type interference). The function is\nimplemented as a direct call to `std::mem::transmute()`. Since the return type\nis not constrained, this allows transmution to an incorrect type or a type that\nis larger than the X11 event that was passed in.\n\nX11 events are mostly always 32 bytes large and this function works as intended.\n\nUsers are advised to only cast to the event structs provided by the `xcb` crate\n(and hope for the best).\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/78", "date": "2021-02-04", "aliases": [ "CVE-2021-26955", "CVE-2021-26956", "CVE-2021-26957", "CVE-2021-26958" ], "related": [], "collection": "crates", "categories": [ "memory-corruption", "memory-exposure" ], "keywords": [], "cvss": null, "informational": null, "url": "https://github.com/RustSec/advisory-db/issues/653", "references": [ "https://github.com/rust-x-bindings/rust-xcb/issues/78", "https://github.com/rust-x-bindings/rust-xcb/issues/94", "https://github.com/rust-x-bindings/rust-xcb/issues/95", "https://github.com/rust-x-bindings/rust-xcb/issues/96" ], "withdrawn": null }, "versions": { "patched": [ ">=1.0" ], "unaffected": [] }, "affected": null, "package": { "name": "xcb", "version": "0.8.2", "source": "registry+https://github.com/rust-lang/crates.io-index", "checksum": "5e917a3f24142e9ff8be2414e36c649d47d6cc2ba81f16201cdef96e533e02de", "dependencies": [ { "name": "libc", "version": "0.2.121", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "log", "version": "0.4.16", "source": "registry+https://github.com/rust-lang/crates.io-index" } ], "replace": null } } { "advisory": { "id": "RUSTSEC-2021-0019", "package": "xcb", "title": "Multiple soundness issues", "description": "## Calls `std::str::from_utf8_unchecked()` without any checks\n\nThe function `xcb::xproto::GetAtomNameReply::name()` calls\n`std::str::from_utf8_unchecked()` on the raw bytes that were received from the\nX11 server without any validity checks. The X11 server only prevents interior\nnull bytes, but otherwise allows any X11 client to create an atom for arbitrary\nbytes.\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/96\n\n## `xcb::xproto::GetPropertyReply::value()` allows arbitrary return types\n\nThe function `xcb::xproto::GetPropertyReply::value()` returns a slice of type\n`T` where `T` is an unconstrained type parameter. The raw bytes received from\nthe X11 server are interpreted as the requested type.\n\nThe users of the `xcb` crate are advised to only call this function with the\nintended types. These are `u8`, `u16`, and `u32`.\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/95\n\n## Out of bounds read in `xcb::xproto::change_property()`\n\n`xcb::xproto::change_property` has (among others) the arguments `format: u8` and\n`data: &[T]`. The intended use is one of the following cases:\n- `format = 8` and `T = u8`\n- `format = 16` and `T = u16`\n- `format = 32` and `T = u32`\nHowever, this constraint is not enforced. For example, it is possible to call\nthe function with `format = 32` and `T = u8`. In this case, a read beyond the\nend of the `data` slice is performed and the bytes are sent to the X11 server.\n\nThe users of the `xcb` crate are advised to only call this function with one of\nthe intended argument combinations.\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/94\n\n## 'Safe' wrapper around `std::mem::transmute()`\n\nThe function `xcb::base::cast_event()` takes a reference to a\n`xcb::base::GenericEvent` and returns a reference to an arbitrary type, as\nrequested by the caller (or found via type interference). The function is\nimplemented as a direct call to `std::mem::transmute()`. Since the return type\nis not constrained, this allows transmution to an incorrect type or a type that\nis larger than the X11 event that was passed in.\n\nX11 events are mostly always 32 bytes large and this function works as intended.\n\nUsers are advised to only cast to the event structs provided by the `xcb` crate\n(and hope for the best).\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/78", "date": "2021-02-04", "aliases": [ "CVE-2021-26955", "CVE-2021-26956", "CVE-2021-26957", "CVE-2021-26958" ], "related": [], "collection": "crates", "categories": [ "memory-corruption", "memory-exposure" ], "keywords": [], "cvss": null, "informational": null, "url": "https://github.com/RustSec/advisory-db/issues/653", "references": [ "https://github.com/rust-x-bindings/rust-xcb/issues/78", "https://github.com/rust-x-bindings/rust-xcb/issues/94", "https://github.com/rust-x-bindings/rust-xcb/issues/95", "https://github.com/rust-x-bindings/rust-xcb/issues/96" ], "withdrawn": null }, "versions": { "patched": [ ">=1.0" ], "unaffected": [] }, "affected": null, "package": { "name": "xcb", "version": "0.9.0", "source": "registry+https://github.com/rust-lang/crates.io-index", "checksum": "62056f63138b39116f82a540c983cc11f1c90cd70b3d492a70c25eaa50bd22a6", "dependencies": [ { "name": "libc", "version": "0.2.121", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "log", "version": "0.4.16", "source": "registry+https://github.com/rust-lang/crates.io-index" }, { "name": "x11", "version": "2.19.1", "source": "registry+https://github.com/rust-lang/crates.io-index" } ], "replace": null } }