X-Loop: help-debbugs@HIDDEN Subject: bug#47544: rust-slice-deque is vulnerable to CVE-2021-29938 Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: bug-guix@HIDDEN Resent-Date: Thu, 01 Apr 2021 14:09:03 +0000 Resent-Message-ID: <handler.47544.B.161728614328838 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: report 47544 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47544 <at> debbugs.gnu.org X-Debbugs-Original-To: bug-guix@HIDDEN Received: via spool by submit <at> debbugs.gnu.org id=B.161728614328838 (code B ref -1); Thu, 01 Apr 2021 14:09:03 +0000 Received: (at submit) by debbugs.gnu.org; 1 Apr 2021 14:09:03 +0000 Received: from localhost ([127.0.0.1]:58134 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lRy0M-0007Uu-Pt for submit <at> debbugs.gnu.org; Thu, 01 Apr 2021 10:09:03 -0400 Received: from lists.gnu.org ([209.51.188.17]:38944) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lle-bout@HIDDEN>) id 1lRy0L-0007UY-8R for submit <at> debbugs.gnu.org; Thu, 01 Apr 2021 10:09:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52690) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>) id 1lRy0L-0006Ip-3p for bug-guix@HIDDEN; Thu, 01 Apr 2021 10:09:01 -0400 Received: from mail.zaclys.net ([178.33.93.72]:43847) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>) id 1lRy0I-0003Sa-Ot for bug-guix@HIDDEN; Thu, 01 Apr 2021 10:09:00 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 131E8urC056368 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <bug-guix@HIDDEN>; Thu, 1 Apr 2021 16:08:56 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 131E8urC056368 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@HIDDEN DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617286136; bh=yHO7BAff055BDHmGQS1tS4AImiqz+awF5Q/76yqiR5k=; h=Subject:From:To:Date:From; b=lufg7wY+z6wAXJ5O95rd10JAYRmPwQcsiyEYJqJCRI9sX5wYXaSMplM+oP0QexEMr Zo2dz10noyOcqyubhEbQkqd7diUCWKZ6UW7sBk71KUR6Z1HWue0TbyLEHTLGCNGDlv an+BL8N+7jQrYHH0k2HeyzIAvwyEc5Z8mis4OjK8= Message-ID: <3e2016e62239d2039e48c945a6b6a982c09e3f5f.camel@HIDDEN> From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN> Date: Thu, 01 Apr 2021 16:08:47 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-CmySpdBTHTGrLBWbcIAv" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.4 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: CVE-2021-29938 07:15 An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function. Upstream PR: https://github.com/gnzlbg/slice_deque/pull/91 Content analysis details: (1.4 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [209.51.188.17 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 2.7 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --=-CmySpdBTHTGrLBWbcIAv Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-29938 07:15 An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function. Upstream PR: https://github.com/gnzlbg/slice_deque/pull/91 I suggest we wait for merge then update our package. --=-CmySpdBTHTGrLBWbcIAv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBl0+8ACgkQRaix6GvN EKaK6g/+Mz00XfGipOQkZnxHNCMeyow+SRlAUQbZKJCPKCuFjPTszW1075c9YCCd dcJ9/cdESVmodrlGcay5+qHqXbPQCLMwvT5+FpVB3/gn0NrybueHhm34jswbNB5d mBKPuZWTSpuWyvLhb2xTKVZPlNducPev6jcj68vVP9/PEknOkJ/luFLVNb1b38Fa HlkVaAZ908Wecx9wstji7F3lW4TVENxnMgrndoKBAJyDTGuOr3hj5Y2aT2tVsCGp MVKbjIlr+ydSgfTKOe0KnC2gztPNBf9cd7DwTnQgim4XdujB23iLI99KWUej3Snv SNbfrCyDzpofHMbNgxlM1drRiMwRr44D27dSIqGtlyjmoW8/3ug3GEIjubf8PEw6 8TMT/OZM1Uuz85x6BHb5iPSKJqOTWxX51DbR462zLfbPmj1hyYVh2ztPJG/Llv6a V0EVVCgPcpiIiJ+jRq1DF1465VQLvb838Jzp1SYdCUXJAYFMQzvjeeC8najh2RGG XNlpkOVLQbiJkZ5b2cGjRX1XL4rDQ5cJQUiGZiKGg7AsVq4lg4fUNVFwzTUcFI4W 8sRBYjsKb9Jxfswl0IOXzwxzCNIz6CciDjMtJb39l1cop8FYF1B9V5J5myQ5RGy2 cee7OijCNnfVo90W1JbCAB7LMFj1kQCt+4Xdj5n8Q9MZy8buhz4= =cx4d -----END PGP SIGNATURE----- --=-CmySpdBTHTGrLBWbcIAv--
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN> Subject: bug#47544: Acknowledgement (rust-slice-deque is vulnerable to CVE-2021-29938) Message-ID: <handler.47544.B.161728614328838.ack <at> debbugs.gnu.org> References: <3e2016e62239d2039e48c945a6b6a982c09e3f5f.camel@HIDDEN> X-Gnu-PR-Message: ack 47544 X-Gnu-PR-Package: guix Reply-To: 47544 <at> debbugs.gnu.org Date: Thu, 01 Apr 2021 14:09:03 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 47544 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 47544: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D47544 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
Received: (at control) by debbugs.gnu.org; 1 Apr 2021 14:09:53 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 01 10:09:53 2021 Received: from localhost ([127.0.0.1]:58143 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lRy1B-0007Wx-4N for submit <at> debbugs.gnu.org; Thu, 01 Apr 2021 10:09:53 -0400 Received: from mail.zaclys.net ([178.33.93.72]:51955) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lle-bout@HIDDEN>) id 1lRy19-0007We-Rj for control <at> debbugs.gnu.org; Thu, 01 Apr 2021 10:09:52 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 131E9j1P056496 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <control <at> debbugs.gnu.org>; Thu, 1 Apr 2021 16:09:45 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 131E9j1P056496 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@HIDDEN DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617286185; bh=4dGyAnlonCImVWRdMUcJGKeMBAOjIuaqfZCr+Hq7Y1A=; h=Subject:From:To:Date:From; b=GcJIo9PosUlcYEgkgJMNH+Shf/uJVam6mkeOffHvNlS8oH9+W5MDkCC/CMoObRTp3 jeJSK8EE4H9nQkK3dLZlYERYuyt4nZZUbB7EXByXwAKmXvd4vuoBiHQcT8XoRET6x8 ellkkGhB9vOuBo10+BkXJ19g4UBq72+Ll4fasIec= Message-ID: <455f913579bf510bb21c651880a53dda55c7be9e.camel@HIDDEN> Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN> To: control <at> debbugs.gnu.org Date: Thu, 01 Apr 2021 16:09:45 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-AEzuyI3Q67GS4cjPfeBh" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47544 + security quit Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 BLANK_SUBJECT Subject is present but empty X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 1.0 (+) --=-AEzuyI3Q67GS4cjPfeBh Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47544 + security quit --=-AEzuyI3Q67GS4cjPfeBh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBl1CkACgkQRaix6GvN EKYqIg//fEcUdfGmcvqLlJqL+2OQpLOG3Q7eLH+Js3txTX0iAqt+koJBhmMicOg7 kW0peiGvHwAfNiGgT2Lq9cR9TezAREQk2I0TeW+HpB+2vPB4RAacCXTx76FXlO/c 5i7+y2P99FR/9eX9DSvVdmIJ1Q4eN5BxNmhqgB6P+SzQYotPvbyX+pUJb3wiXCLS cW9Wxg997oclQXcpoKC9DRkmJXhoYiGOFdXfq9IdS3OMJiC2AOTIPW+Wpvg2jAvk iJLREjI77AlImK2Vg7IzpHC+ndMCJTe883W5Fuuvphc2zF7sZ8zKTLEicAqIA991 TtIakdKoJ/8fkltESeTw+RKw1ow/NFA6BoHzh2TNSzimSFMYTL3gF1l2OfwHRYwu mMyAV05uTwl1TfZ1PUecgUp94UM9PfA1fz7FoUJVyTkLN7jvl67ITC7SkFY4RVG8 8LjOzTUfMLS95JnAOt17K36C3fZEZSc06XVqIauiriBA3osrYjVYGNUo97GH7Xrz YcFsYWNgnyEScbDkbMRcmndrThWxbwpBvrJL9BCJ8H/JJU5CGEbALu56qEXBgiea szxvziPWLQkRLIiQ7WejpLR4e+z74/SV4Lnleekb8zqwusWqy37o/C1HT40KhzJS nOVMEtlMK2lJLeYkAUMor7yQFZKZmhlmqkDVMgUu0tEHORUfFnA= =vIVe -----END PGP SIGNATURE----- --=-AEzuyI3Q67GS4cjPfeBh--
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.