-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add advisories for standard library soundness bugs #539
Comments
Should be possible to submit them here: https://github.com/RustSec/advisory-db/tree/master/rust/std |
Adding one more to the list :) |
Found one more old bug. |
Heap buffer overflow in |
Update: We contacted the Rust security team (security@rust-lang.org) about the process of requesting CVEs for memory safety bugs in the Rust standard library. We got responses that suggest to request CVE numbers on our own for publicly discolsed bugs. From Steve Klabnik:
From Josh Stone:
We replied that we would like to proceed and request CVE number on our own and provided a list of bugs of memory safety bugs in the standard library that we think worth it to have CVE numbers for. We requested CVEs through MITRE CVE Request web form (https://cveform.mitre.org/) on March 15th, but haven't heard back anything yet. |
Right now, memory safety bugs in the Rust standard library are underrepresented than a bug in a toy crate on crates.io. The conclusion of the last attempt (#561) to file RustSec advisory for std bugs was to try requesting a CVE number before creating a RustSec advisory. Unfortunately, having a CVE as prerequisite seems to possess significant delay in the process. Question to RustSec maintainers: Should we reconsider the CVE requirement, considering the importance of public awareness of memory safety bugs in the Rust standard library? Some of the ways I can think of is to announce a RustSec advisory with a placeholder that can be replaced with CVE numbers later or to assign a RustSec ID first and put CVE in alias field just like other advisories. |
id-map was reported to RustSec on April 2nd and got CVE on April 7th, in 5 days. 3.5 weeks seems unusual... |
@Qwaz sounds like a good use case for CNA. Unfortunately core asked us to pause our discussions regarding getting one from MITRE until we can figure out what a project-wide CNA might look like. That does seem unusual for it to take so long. |
Does "getting one" mean becoming a CNA or getting a CVE ID? We can definitely use the CNA process once RustSec becomes a CNA. But considering that there are quite a few std bugs blocked by the CVE assignment right now, I was wondering if it makes sense to consider an alternative approach such as assigning RustSec ID first to std bugs while waiting for the CVE response. |
Received 8 CVE numbers on April 11th. I'll create PRs for them. |
A CNA |
Four more CVEs have been assigned. With these, all Rust standard library memory safety bugs that I know are covered. I'll close the issue once these bugs are added to RustSec database. |
Created a repository to track CVEs and soundness bugs for the Rust standard library. |
We recently re-discovered rust-lang/rust#60977 and rust-lang/rust#78498 in abi_stable crate. While investigating, we found a few more interesting bugs in the Rust issue tracker. I believe these bugs need advisories; I'll leave the list here so that someone else can look into them and file an advisory.
These are memory safety/soundness bugs in stable APIs.
These are bugs in unstable APIs, so probably no advisory is needed. (But they are still quite interesting bugs!)
The text was updated successfully, but these errors were encountered: