[Pkg-rust-maintainers] Bug#906585: rustc: Backport the fix for Rust#44800 to stretch
Moritz Mühlenhoff
jmm at inutil.org
Sun Aug 19 11:04:25 BST 2018
On Sat, Aug 18, 2018 at 03:19:46PM +0200, Nicolas Braud-Santoni wrote:
> Source: rustc
> Version: 1.14.0+dfsg1-3
> Severity: important
> Tags: security stretch
>
> Hi,
>
> Sergey (in CC) recently pointed out [0] that we are still shipping in Stretch
> i386 a version of the VecDeque (from the Rust stdlib) that can perform invalid
> out-of-bounds writes:
>
> https://github.com/rust-lang/rust/issues/44800
>
> This is very likely exploitable (attacker-controlled data is written outside
> the buffer), and we (the rust team) think it would be worth fixing ASAP.
>
>
> Thankfully, there is already a more recent version for amd64 in stretch, and
> 1.24.1+dfsg1-1~deb9u3 is already in stretch-pu for i386 (plus a bunch of
> architectures which did not previously have rustc). The fix first appeared in
> upstream release 1.21.0 (Oct 2017).
>
> Would it be possible to turn it into a security upload, along with a binNMU of
> all packages that were built with rustc (<< 1.24.1) ?
1.24 will reach stretch via the next 9.5 point release. I don't see any
need to expedite this. Do we actually have any application in stretch yet which
is written in Rust?
Cheers,
Moritz
More information about the Pkg-rust-maintainers
mailing list