Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add advisory for SmallVec issue #148 #119

Merged
merged 3 commits into from
Jul 2, 2019
Merged

Add advisory for SmallVec issue #148 #119

merged 3 commits into from
Jul 2, 2019

Conversation

Shnatsel
Copy link
Member

@Shnatsel Shnatsel mentioned this pull request Jun 30, 2019
Closed
@tarcieri tarcieri merged commit 09936b6 into rustsec:master Jul 2, 2019
@rfk rfk mentioned this pull request Jul 3, 2019
Closed
@lucab
Copy link

lucab commented Jul 3, 2019
edited
Loading

Was a CVE already requested/assigned for this? If not, is anybody planning to request one? I'd be interested in that and can offer some help if needed.

@Shnatsel Shnatsel deleted the patch-1 branch July 3, 2019 11:16
@Shnatsel
Copy link
Member Author

Shnatsel commented Jul 3, 2019

Help with a CVE would be great! Last time I tried to get a CVE through iwantacve.org I've waited for months and never heard back. It's been rust-lang/rust#53566 and I still want one, by the way.

Do you think it's also a good idea to include servo/rust-smallvec#149 in the same CVE? It has a very similar exploitation pattern. I've failed to determine the exact point where the bug was introduced, though.

@lucab
Copy link

lucab commented Jul 3, 2019

@Shnatsel I'd suggest to have an advisory for servo/rust-smallvec#149 too (the fixed-version is enough, as a start) and wait for @tarcieri to assign stable IDs for both.
I can then try to forward this to my company secteam for CVE bureaucracy, if nobody gets to that in a quicker way.

tarcieri added a commit that referenced this pull request Jul 3, 2019
@tarcieri
Assign RUSTSEC-2019-0009 to smallvec
a20910b 
Original PR: #119
@tarcieri tarcieri mentioned this pull request Jul 3, 2019
Merged
@attritionorg
Copy link

This was just assigned CVE-2019-1010299.

@Shnatsel
Copy link
Member Author

@lucab the other smallvec issue is in as RUSTSEC-2019-0012, so please proceed with the CVE magic.

@lucab
Copy link

lucab commented Jul 20, 2019

I think @attritionorg has a quicker channel than me, so I'll wait for their feedback first in order to avoid getting duplicated IDs.

@attritionorg
Copy link

@lucab I do not. MITRE has an unofficial policy to ignore any mail from me, on any topic, including CVE questions/disputes/assignments.

@Shnatsel
Copy link
Member Author

Shnatsel commented Jul 20, 2019
edited
Loading

The assignment of CVE-2019-1010299 was my application via iwantacve.org from February coming through at last.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Shnatsel @lucab @attritionorg @tarcieri