Bug 1950396 (CVE-2020-36323)
Summary: | CVE-2020-36323 rust: optimization for joining strings can cause uninitialized bytes to be exposed | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amulhern, bodavis, igor.raits, jcajka, jistone, jpadman, mnewsome, rust-sig, TicoTimo, tstellar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-10 13:28:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1950485, 1950486, 1954944, 1954945, 1959104, 1960008 | ||
Bug Blocks: | 1949215 |
Description
Guilherme de Almeida Suckevicz
2021-04-16 14:15:23 UTC
(In reply to Guilherme de Almeida Suckevicz from comment #0) > In the standard library in Rust before 1.50.3, They made a typo in the CVE -- there's no such release 1.50.3, but the referenced pull request will be released in 1.53.0. It could also get backported to beta in time for 1.52.0. In reply to comment #1: > (In reply to Guilherme de Almeida Suckevicz from comment #0) > > In the standard library in Rust before 1.50.3, > > They made a typo in the CVE -- there's no such release 1.50.3, but the > referenced pull request will be released in 1.53.0. It could also get > backported to beta in time for 1.52.0. Thanks for the heads up! I have updated the comment#0 with the right affected version and also created tracker bugs for Fedora and EPEL. Created rust tracking bugs for this issue: Affects: epel-7 [bug 1950486] Affects: fedora-all [bug 1950485] This was backported to the upstream beta branch, so it will now be fixed in 1.52.0. https://github.com/rust-lang/rust/pull/84603 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:3042 https://access.redhat.com/errata/RHSA-2021:3042 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36323 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3063 https://access.redhat.com/errata/RHSA-2021:3063 |