[Pkg-rust-maintainers] Bug#985087: Bug#985087: CVE-2021-27378

Wolfgang Silbermayr wolfgang at silbermayr.at
Sat Mar 13 06:08:26 GMT 2021


On 3/12/21 7:54 PM, Moritz Muehlenhoff wrote:
> Source: rust-rand-core
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> 
> Please see:
> https://rustsec.org/advisories/RUSTSEC-2021-0023.html

Thank you for your report.

The commit [0] fixed the issue upstream in the `read_u32_into(…)` and the
`read_u64_into(…)` functions inside `src/le.rs`. This change was made between
the rand_core 0.6.1 and 0.6.2 release.

We have version 0.5.1 of the library in Debian, and the affected code [1] had
been refactored before the first 0.6 release.

It is not obvious to me whether the issue is present in that version of the
code due to it effectively being a reimplementation that removes the code
marked unsafe that was initially copied over from the byteorder crate
according to a comment. Inside the byteorder crate, the very same code still
exists unchanged in the latest release 1.4.3 from 2021-03-10.

At first sight it appears to me that version 0.5.1 does not have the issue,
but I'd prefer to have that checked by more eyes.

Wolfgang.

--

[0]
https://github.com/rust-random/rand/pull/1096/commits/390a7b1049fa5ba1d627feaef2a1629e0e7826b4
[1] https://sources.debian.org/src/rust-rand-core/0.5.1-1/src/le.rs/



More information about the Pkg-rust-maintainers mailing list