[Pkg-rust-maintainers] Bug#986808: CVE-2021-29939
peter green
plugwash at p10link.net
Mon Apr 12 23:54:53 BST 2021
Hi.
The stackvector crate does not appear to be maintained upstream. The upstream bug underlying this
issue was reported back in February and has received no response from the upstream maintainer.
It seems the only user of the stackvector crate in Debian is the lexical_core crate.
The lexical_core crate upstream (which appears to be the same person as the stackvector maintainer)
switched from stackvector to arrayvec some time ago. The relavent commit on the 0.4 branch being
https://github.com/Alexhuszagh/rust-lexical/commit/6f9f3f5b9ffff232107791008098012ef5fa069a
Regarding the actual bug, I think it can be fixed by simply changing "while count < lower_bound {"
to "while count < upper_bound {" but I'm no expert on the code and I'm reluctant to apply it
without some feedback from someone more familiar with the code.
That patch patches to use arrayvec 0.4 which is lower than the version 0.5 in Debian, but looking
at the master branch I suspect that it will be a simple case of just bumping the dependency.
So it seems there are a few possible ways forward here.
1. Try and fix stackvector ourselves, this is the smaller change but as I said i'm reluctant
to do it without more eyes on the code.
2. Apply the upstream commit to switch lexical_core to arrayvec and then bump the arrayvec
dependency to 0.5. We would also likely have to either use feature_collapse or manually
alter debian/control to avoid getting stuck in new. This is a more intrusive change but
leaves us closer to upstream. stackvector can then be removed.
Thoughts?
More information about the Pkg-rust-maintainers
mailing list