Bug 1950396 (CVE-2020-36323) - CVE-2020-36323 rust: optimization for joining strings can cause uninitialized bytes to be exposed
Summary: CVE-2020-36323 rust: optimization for joining strings can cause uninitialized...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-36323
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1954944 1950485 1950486 1954945 1959104 1960008
Blocks: 1949215
TreeView+ depends on / blocked
 
Reported: 2021-04-16 14:15 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-08-17 19:17 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-10 13:28:39 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3042 0 None None None 2021-08-10 07:26:14 UTC
Red Hat Product Errata RHSA-2021:3063 0 None None None 2021-08-10 13:51:18 UTC

Description Guilherme de Almeida Suckevicz 2021-04-16 14:15:23 UTC
In the standard library in Rust before 1.53.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.

Reference:
https://github.com/rust-lang/rust/issues/80335

Upstream patch:
https://github.com/rust-lang/rust/pull/81728

Comment 1 Josh Stone 2021-04-16 17:33:08 UTC
(In reply to Guilherme de Almeida Suckevicz from comment #0)
> In the standard library in Rust before 1.50.3,

They made a typo in the CVE -- there's no such release 1.50.3, but the referenced pull request will be released in 1.53.0. It could also get backported to beta in time for 1.52.0.

Comment 2 Guilherme de Almeida Suckevicz 2021-04-16 17:42:32 UTC
In reply to comment #1:
> (In reply to Guilherme de Almeida Suckevicz from comment #0)
> > In the standard library in Rust before 1.50.3,
> 
> They made a typo in the CVE -- there's no such release 1.50.3, but the
> referenced pull request will be released in 1.53.0. It could also get
> backported to beta in time for 1.52.0.

Thanks for the heads up! I have updated the comment#0 with the right affected version and also created tracker bugs for Fedora and EPEL.

Comment 3 Guilherme de Almeida Suckevicz 2021-04-16 17:42:55 UTC
Created rust tracking bugs for this issue:

Affects: epel-7 [bug 1950486]
Affects: fedora-all [bug 1950485]

Comment 7 Josh Stone 2021-04-29 16:18:43 UTC
This was backported to the upstream beta branch, so it will now be fixed in 1.52.0.
https://github.com/rust-lang/rust/pull/84603

Comment 9 errata-xmlrpc 2021-08-10 07:26:12 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:3042 https://access.redhat.com/errata/RHSA-2021:3042

Comment 10 Product Security DevOps Team 2021-08-10 13:28:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36323

Comment 11 errata-xmlrpc 2021-08-10 13:51:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3063 https://access.redhat.com/errata/RHSA-2021:3063


Note You need to log in before you can comment on or make changes to this bug.