[Pkg-rust-maintainers] Bug#985087: Bug#985087: CVE-2021-27378
wolfgang at silbermayr.at
Sat Mar 13 06:08:26 GMT 2021
On 3/12/21 7:54 PM, Moritz Muehlenhoff wrote:
> Source: rust-rand-core
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> Please see:
Thank you for your report.
The commit  fixed the issue upstream in the `read_u32_into(…)` and the
`read_u64_into(…)` functions inside `src/le.rs`. This change was made between
the rand_core 0.6.1 and 0.6.2 release.
We have version 0.5.1 of the library in Debian, and the affected code  had
been refactored before the first 0.6 release.
It is not obvious to me whether the issue is present in that version of the
code due to it effectively being a reimplementation that removes the code
marked unsafe that was initially copied over from the byteorder crate
according to a comment. Inside the byteorder crate, the very same code still
exists unchanged in the latest release 1.4.3 from 2021-03-10.
At first sight it appears to me that version 0.5.1 does not have the issue,
but I'd prefer to have that checked by more eyes.
More information about the Pkg-rust-maintainers