[Pkg-rust-maintainers] Bug#984665: Bug#984665: CVE-2021-25900

Sun Mar 7 02:30:29 GMT 2021

I started looking into this bug and trying to gauge it's impact.
In particular what if-any applications in Debian actually use the broken 
code.

First I tried to use codesearch to search for insert_many but I got way 
too many
false-positives. So I tried a different approach. I did however notice 
some embedded
code copies of smallvec during this search, more on that later.

I used zcat 
/srv/ftp.debian.org/mirror/dists/sid/main/binary-amd64/Packages.gz | 
grep-dctrl rust-smallvec -sPackage to identify what applications use 
(directly or indirectly) rust-smallvec, I came up with the following 
list.

bat
cargo-lock
cargo-outdated (build-depends uninstallable, not in testing)
debcargo
git-absorb
grcov
sq-keyring-linter
sqop
sq
sqv
spotify-tui (not in testing)

I installed the build-dependencies for all of these packages except 
cargo-outdated
and did "grep -r insert_many /usr/share/cargo/registry/" the only calls 
were in the
tests and benchmarks of smallvec itself.

I then downloaded and extracted the source packages for the apps 
themselves
into a directory and issued "grep -r insert_many *" in that directory, 
there
were no matches

I tried to repeat the process for buster, unfortunately it seems the 
version
of the tooling used to build many of the rust packages in buster did not
add built-using: or x-cargo-built-using:, It's possible there are also 
some
rust applications in bullseye that have not been touched for a long time 
and
hence suffer from the same isue. Anyway one application was found in 
buster that
had an X-Cargo-Built-Using for rust-smallvec.

ripgrep
I found the following packages that appeard to have embedded copies of
smallvec, it's very possible there were others as I did not do an 
exhaustive
search.
I repeated the build-dependency and source package contents tests 
described
above in buster, using the list of packages from both stable and 
unstable
(where the package existed in stable), again I found now results.

Going back to the original codesearch I noticed the following packages
in the list, that seemed (based mainly on my memory of what uses rust)
like they might be rust-related and investigated them further. I did not
investigate every package in the list for rust dependencies.

firefox
firefox-esr
rust-lexical-core
librsvg
thunderbird

firefox, firefox-esr, librsvg and thunderbird seem to have embedded
copies of rust-smallvec, but don't appear to call insert_many

rust-lexical-core seems to be completely unrelated to arrayvec
(it does not build-depend directly or indirectly on it and it
does not appear to have an embedded copy of it)

This search has not been perfect and I may try and assemble tooling to
do a better one, but my tentative conclusion is that the insert_many
operation in rust-arrayvec does not seem to actually be used.