[Pkg-rust-maintainers] Bug#984665: Bug#984665: CVE-2021-25900
plugwash-urgent at p10link.net
Sun Mar 7 02:30:29 GMT 2021
I started looking into this bug and trying to gauge it's impact.
In particular what if-any applications in Debian actually use the broken
First I tried to use codesearch to search for insert_many but I got way
false-positives. So I tried a different approach. I did however notice
code copies of smallvec during this search, more on that later.
I used zcat
grep-dctrl rust-smallvec -sPackage to identify what applications use
(directly or indirectly) rust-smallvec, I came up with the following
cargo-outdated (build-depends uninstallable, not in testing)
spotify-tui (not in testing)
I installed the build-dependencies for all of these packages except
and did "grep -r insert_many /usr/share/cargo/registry/" the only calls
were in the
tests and benchmarks of smallvec itself.
I then downloaded and extracted the source packages for the apps
into a directory and issued "grep -r insert_many *" in that directory,
were no matches
I tried to repeat the process for buster, unfortunately it seems the
of the tooling used to build many of the rust packages in buster did not
add built-using: or x-cargo-built-using:, It's possible there are also
rust applications in bullseye that have not been touched for a long time
hence suffer from the same isue. Anyway one application was found in
had an X-Cargo-Built-Using for rust-smallvec.
I found the following packages that appeard to have embedded copies of
smallvec, it's very possible there were others as I did not do an
I repeated the build-dependency and source package contents tests
above in buster, using the list of packages from both stable and
(where the package existed in stable), again I found now results.
Going back to the original codesearch I noticed the following packages
in the list, that seemed (based mainly on my memory of what uses rust)
like they might be rust-related and investigated them further. I did not
investigate every package in the list for rust dependencies.
firefox, firefox-esr, librsvg and thunderbird seem to have embedded
copies of rust-smallvec, but don't appear to call insert_many
rust-lexical-core seems to be completely unrelated to arrayvec
(it does not build-depend directly or indirectly on it and it
does not appear to have an embedded copy of it)
This search has not been perfect and I may try and assemble tooling to
do a better one, but my tentative conclusion is that the insert_many
operation in rust-arrayvec does not seem to actually be used.
More information about the Pkg-rust-maintainers