GNU bug report logs - #47544
rust-slice-deque is vulnerable to CVE-2021-29938

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Thu, 1 Apr 2021 14:09:03 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 1 Apr 2021 14:09:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 01 10:09:03 2021
Received: from localhost ([127.0.0.1]:58134 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lRy0M-0007Uu-Pt
	for submit <at> debbugs.gnu.org; Thu, 01 Apr 2021 10:09:03 -0400
Received: from lists.gnu.org ([209.51.188.17]:38944)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lRy0L-0007UY-8R
 for submit <at> debbugs.gnu.org; Thu, 01 Apr 2021 10:09:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:52690)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lRy0L-0006Ip-3p
 for bug-guix@HIDDEN; Thu, 01 Apr 2021 10:09:01 -0400
Received: from mail.zaclys.net ([178.33.93.72]:43847)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lRy0I-0003Sa-Ot
 for bug-guix@HIDDEN; Thu, 01 Apr 2021 10:09:00 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 131E8urC056368
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Thu, 1 Apr 2021 16:08:56 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 131E8urC056368
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617286136;
 bh=yHO7BAff055BDHmGQS1tS4AImiqz+awF5Q/76yqiR5k=;
 h=Subject:From:To:Date:From;
 b=lufg7wY+z6wAXJ5O95rd10JAYRmPwQcsiyEYJqJCRI9sX5wYXaSMplM+oP0QexEMr
 Zo2dz10noyOcqyubhEbQkqd7diUCWKZ6UW7sBk71KUR6Z1HWue0TbyLEHTLGCNGDlv
 an+BL8N+7jQrYHH0k2HeyzIAvwyEc5Z8mis4OjK8=
Message-ID: <3e2016e62239d2039e48c945a6b6a982c09e3f5f.camel@HIDDEN>
Subject: rust-slice-deque is vulnerable to CVE-2021-29938
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Thu, 01 Apr 2021 16:08:47 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-CmySpdBTHTGrLBWbcIAv"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: CVE-2021-29938 07:15 An issue was discovered in the
 slice-deque
 crate through 2021-02-19 for Rust. A double drop can occur in
 SliceDeque::drain_filter
 upon a panic in a predicate function. Upstream PR:
 https://github.com/gnzlbg/slice_deque/pull/91
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [209.51.188.17 listed in wl.mailspike.net]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-CmySpdBTHTGrLBWbcIAv
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-29938	07:15
An issue was discovered in the slice-deque crate through 2021-02-19 for
Rust. A double drop can occur in SliceDeque::drain_filter upon a panic
in a predicate function.

Upstream PR: https://github.com/gnzlbg/slice_deque/pull/91

I suggest we wait for merge then update our package.

--=-CmySpdBTHTGrLBWbcIAv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBl0+8ACgkQRaix6GvN
EKaK6g/+Mz00XfGipOQkZnxHNCMeyow+SRlAUQbZKJCPKCuFjPTszW1075c9YCCd
dcJ9/cdESVmodrlGcay5+qHqXbPQCLMwvT5+FpVB3/gn0NrybueHhm34jswbNB5d
mBKPuZWTSpuWyvLhb2xTKVZPlNducPev6jcj68vVP9/PEknOkJ/luFLVNb1b38Fa
HlkVaAZ908Wecx9wstji7F3lW4TVENxnMgrndoKBAJyDTGuOr3hj5Y2aT2tVsCGp
MVKbjIlr+ydSgfTKOe0KnC2gztPNBf9cd7DwTnQgim4XdujB23iLI99KWUej3Snv
SNbfrCyDzpofHMbNgxlM1drRiMwRr44D27dSIqGtlyjmoW8/3ug3GEIjubf8PEw6
8TMT/OZM1Uuz85x6BHb5iPSKJqOTWxX51DbR462zLfbPmj1hyYVh2ztPJG/Llv6a
V0EVVCgPcpiIiJ+jRq1DF1465VQLvb838Jzp1SYdCUXJAYFMQzvjeeC8najh2RGG
XNlpkOVLQbiJkZ5b2cGjRX1XL4rDQ5cJQUiGZiKGg7AsVq4lg4fUNVFwzTUcFI4W
8sRBYjsKb9Jxfswl0IOXzwxzCNIz6CciDjMtJb39l1cop8FYF1B9V5J5myQ5RGy2
cee7OijCNnfVo90W1JbCAB7LMFj1kQCt+4Xdj5n8Q9MZy8buhz4=
=cx4d
-----END PGP SIGNATURE-----

--=-CmySpdBTHTGrLBWbcIAv--
Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47544; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Thu, 1 Apr 2021 14:15:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.