[Pkg-rust-maintainers] Bug#984665: Bug#984665: CVE-2021-25900

Peter Green plugwash at debian.org
Tue Mar 9 16:23:16 GMT 2021

On 07/03/2021 02:30, plugwash-urgent wrote:
> my tentative conclusion is that the insert_many
> operation in rust-arrayvec does not seem to actually be used.

While I can't find any applications that uses the broken function
in rust-smallvec (saying arrayvec above was a brainfart), I
still think we should apply the fix. The fix doesn't
contain any code changes outside of the function in question so
the risk seems minimal.

I notice that kpcyrd has packaged the new version of smallvec on
a branch. I'm not sure what his intentions are regarding that branch
but given where we are in the release cycle and given that
rust-smallvec is a key package it does not seem appropriate
to me to upload it to unstable at this time.

I have applied the upstream patch to the version of the package
in Debian and it applies cleanly and tests (including the newly
added one) pass. I have pushed the changes to the debcargo-conf

If noone objects I will likely upload in a few days
and request an unblock from the release team. I intend to make
the upload with debcargo 2.4.3 to keep the diff minimal for the
release team.

More information about the Pkg-rust-maintainers mailing list