rust-stackvector package is vulnerable to CVE-2021-29939

OpenSubmitted by Léo Le Bouter.
Details
One participant
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 1 Apr 15:47 +0200
(address . bug-guix@gnu.org)
5880a0d2db58bae9f641e746f405fe4cd0e1bca3.camel@zaclys.net
CVE-2021-29939 07:15An issue was discovered in the stackvector crate through 2021-02-19 forRust. There is an out-of-bounds write in StackVec::extend if size_hintprovides certain anomalous data.
No fix released upstream yet: https://github.com/Alexhuszagh/rust-stackvector/issues/2
Out of bounds write sounds like it could have dangerous consequences,not sure how likely is "size_hint provides certain anomalous data"though.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBlzwcACgkQRaix6GvNEKazwA//ZG+U8hJ1tuaHCCzjr9Dn5hcEF2KDVF9qFTYU9E+8t6xb7vlOJY8BaKRUvH5mun34RYDl1b1VnQ1n1XOmk29cZyU1xa8w2Wv4LIjD7ByjyfqVQ4p64AODEAX/Evg8V8CBx176ANgcVYqC0d1QlBVkyEMvs54qDk+WxGqLWrxzPPgyPQvoGl7ZT6M25aqXUMDwvL0HVGSMr3NiI00s5uAmY1STKNUktGu7APmdMAZj9Zd96NNOiZGRgn0bwZ0I0t7NrUNNam4RjGYYc7quyHJVZFD107R3eEbN7BX4AyZm9LXuTwxa/EALBQyDSizLRGmjs3/70IQln7u78PU7FTzAQe6RIDxMEqB+jQMrFC8xZ8ltiuG+FCtWhrzNl4OfoCLZjAwCxW2P3RGeF6YxmMrfAIBTXaTUWQHBO3sMRRmmWX3yr5ozo+2bgWprYc1TmkGgkHE3bENNMGnXp5G7+hyd+DS/0iIB+TL7gNT0FnzrXfoF2neU+1o6hHktUfJ7oCd46Ss2P7KTB7UMPVKLofeXclPP+b+W2M0c8RQkNr3EDzT6PX3ugrA2ASEPSL/G5icXR1I0R7kQKe5+dl358O+jesWcY1JlkW52O32ka+SUcZ9lKaCEbzHwGUDwri7j0w2m+8lVt1/ebjQSJsCbOrbosUSwEIjDzAtjP4PF+gxBmcQ==oBOJ-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 1 Apr 15:48 +0200
(address . control@debbugs.gnu.org)
06f7440304edd37fb4282849db818c23805c7229.camel@zaclys.net
tags 47542 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBlzyMACgkQRaix6GvNEKakmw//SfXShyruJQ2+MoJTwMMDJmjbkMZqyCAP0TYGxo6S/Lxj7DqSrtdI4Tq/UhtmViaWLjT5+61WXLUi3T3g+pLDk6Dr8c7/6CP+fII5YxexbyNGIje+omIzwZOJgLpTrMNwWtBz4dzpYVyABsCAALSFddy+JjdnkQh4mvRVnaqckMY+U40W4gssgA1Ni9hcwVRBQ89Zo5a1NHarwMXQeNc2158t7oK5o1JhI1W3PeEYAHX7IogFrLaO8RpOeUc19jQrMaCg5hnSgCTpl8l9y9Vc6m0nA7UUJvrY4XOkA/X0KmrRKq5bTIIafXZHOewd34i2oEnyrhwxB3jxJu013D8R7aZKxGmqFShIWsenJxf0olNn2tFP/ZRYtIcWabv/j1nOFWW7fNvFi5ZBUAxTpmYOqwAaArNtQnEfmceOYkpDVWYGBnr4IgsbaA+aMm5usRQJbTyY4vBh7XLaq8wB1KjHyWKU/z/k0fJeYkff7//rA2MaBJcqC+bYnHZ/e/ITX9zqj7nlZi/wjHtXE6LTsT6G5QGcyT+vB/d4SVHsaIUJCuccCW86aZIP9LzyHaV5luZWoDH0A4f2Yviqj46DXRNjh3a9A4Zb1rtLIr1t64CII3weXULrMai6ZpjNFz61CvKW1/jmELKFoMgqURTIJ4yVqNrK+cV2SI5FDGvZbfG1J78==9sfG-----END PGP SIGNATURE-----

?