[Pkg-rust-maintainers] Bug#1029157: rust-tokio: CVE-2023-22466

Moritz Mühlenhoff jmm at inutil.org
Wed Jan 18 16:34:33 GMT 2023


Source: rust-tokio
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for rust-tokio.

I haven't checked this is a Windows-specific issue or whether rust-tokio
as packaged in Debian would also be affected if e.g. operating on a
Samba share:

CVE-2023-22466[0]:
| Tokio is a runtime for writing applications with Rust. Starting with
| version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when
| configuring a Windows named pipe server, setting `pipe_mode` will
| reset `reject_remote_clients` to `false`. If the application has
| previously configured `reject_remote_clients` to `true`, this
| effectively undoes the configuration. Remote clients may only access
| the named pipe if the named pipe's associated path is accessible via a
| publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have
| been patched. The fix will also be present in all releases starting
| from version 1.24.0. Named pipes were introduced to Tokio in version
| 1.7.0, so releases older than 1.7.0 are not affected. As a workaround,
| ensure that `pipe_mode` is set first after initializing a
| `ServerOptions`.

https://rustsec.org/advisories/RUSTSEC-2023-0001.html
https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7
		

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-22466
    https://www.cve.org/CVERecord?id=CVE-2023-22466

Please adjust the affected versions in the BTS as needed.



More information about the Pkg-rust-maintainers mailing list