Bug 1950396 (CVE-2020-36323)

Summary: CVE-2020-36323 rust: optimization for joining strings can cause uninitialized bytes to be exposed
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amulhern, bodavis, igor.raits, jcajka, jistone, jpadman, mnewsome, rust-sig, TicoTimo, tstellar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-10 13:28:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1950485, 1950486, 1954944, 1954945, 1959104, 1960008    
Bug Blocks: 1949215    

Description Guilherme de Almeida Suckevicz 2021-04-16 14:15:23 UTC
In the standard library in Rust before 1.53.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.

Reference:
https://github.com/rust-lang/rust/issues/80335

Upstream patch:
https://github.com/rust-lang/rust/pull/81728

Comment 1 Josh Stone 2021-04-16 17:33:08 UTC
(In reply to Guilherme de Almeida Suckevicz from comment #0)
> In the standard library in Rust before 1.50.3,

They made a typo in the CVE -- there's no such release 1.50.3, but the referenced pull request will be released in 1.53.0. It could also get backported to beta in time for 1.52.0.

Comment 2 Guilherme de Almeida Suckevicz 2021-04-16 17:42:32 UTC
In reply to comment #1:
> (In reply to Guilherme de Almeida Suckevicz from comment #0)
> > In the standard library in Rust before 1.50.3,
> 
> They made a typo in the CVE -- there's no such release 1.50.3, but the
> referenced pull request will be released in 1.53.0. It could also get
> backported to beta in time for 1.52.0.

Thanks for the heads up! I have updated the comment#0 with the right affected version and also created tracker bugs for Fedora and EPEL.

Comment 3 Guilherme de Almeida Suckevicz 2021-04-16 17:42:55 UTC
Created rust tracking bugs for this issue:

Affects: epel-7 [bug 1950486]
Affects: fedora-all [bug 1950485]

Comment 7 Josh Stone 2021-04-29 16:18:43 UTC
This was backported to the upstream beta branch, so it will now be fixed in 1.52.0.
https://github.com/rust-lang/rust/pull/84603

Comment 9 errata-xmlrpc 2021-08-10 07:26:12 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:3042 https://access.redhat.com/errata/RHSA-2021:3042

Comment 10 Product Security DevOps Team 2021-08-10 13:28:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36323

Comment 11 errata-xmlrpc 2021-08-10 13:51:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3063 https://access.redhat.com/errata/RHSA-2021:3063