[Pkg-rust-maintainers] Bug#906585: rustc: Backport the fix for Rust#44800 to stretch
Nicolas Braud-Santoni
nicolas at braud-santoni.eu
Sat Aug 18 14:19:46 BST 2018
Source: rustc
Version: 1.14.0+dfsg1-3
Severity: important
Tags: security stretch
Hi,
Sergey (in CC) recently pointed out [0] that we are still shipping in Stretch
i386 a version of the VecDeque (from the Rust stdlib) that can perform invalid
out-of-bounds writes:
https://github.com/rust-lang/rust/issues/44800
This is very likely exploitable (attacker-controlled data is written outside
the buffer), and we (the rust team) think it would be worth fixing ASAP.
Thankfully, there is already a more recent version for amd64 in stretch, and
1.24.1+dfsg1-1~deb9u3 is already in stretch-pu for i386 (plus a bunch of
architectures which did not previously have rustc). The fix first appeared in
upstream release 1.21.0 (Oct 2017).
Would it be possible to turn it into a security upload, along with a binNMU of
all packages that were built with rustc (<< 1.24.1) ?
@Sergey: Thanks a lot for dedicating some of your time and energy to finding
security issues in the Rust ecosystem, it is highly appreciated. :3
Best,
nicoo
[0]: https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20180818/15bac9c5/attachment.sig>
More information about the Pkg-rust-maintainers
mailing list