Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create RUSTSEC advisory for illumos stack buffer overflow for 1.4.x #97

Closed
AldaronLau opened this issue Mar 3, 2024 · 8 comments
Closed

Create RUSTSEC advisory for illumos stack buffer overflow for 1.4.x #97

AldaronLau opened this issue Mar 3, 2024 · 8 comments

Comments

@AldaronLau
Copy link
Member

Context here: #91
@AldaronLau AldaronLau changed the title Create RUSTSEC advisory for illumos stack buffer overflow Create RUSTSEC advisory for illumos stack buffer overflow for 1.4.x Mar 4, 2024
@sunshowers
Copy link

Thanks for filing this issue! Would you like to take the lead on it? Otherwise I'm happy to write up an initial draft.

@AldaronLau
Copy link
Member Author

I'm not quite sure where to begin the process, or what best practices there are around filing one, so I'd appreciate help on it.

@sunshowers
Copy link

All right, let me start it off then.

@sunshowers sunshowers mentioned this issue Mar 5, 2024
Merged
@sunshowers
Copy link

All right -- filed rustsec/advisory-db#1911. Feel free to comment on the PR if anything's inaccurate or missing, thanks!

@sunshowers
Copy link

sunshowers commented Mar 5, 2024
edited
Loading

Based on https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md#optional-steps:

  • We should definitely yank all old versions of the crate. (They will still be fetched if folks have a pinned Cargo.lock.)
  • It would also be good to file a GHSA advisory, and maybe get a CVE assigned. Only repository maintainers can do this -- and feel free to copy-paste info from the advisory DB PR. The CWE for this is, I believe, CWE-121.

@sunshowers
Copy link

sunshowers commented Mar 5, 2024
edited
Loading

All right, https://rustsec.org/advisories/RUSTSEC-2024-0020.html is live.

Never mind re GHSA, I think that will automatically import the advisory: https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database. So I think the only thing left to do is to yank old versions.

@AldaronLau
Copy link
Member Author

All right -- filed rustsec/advisory-db#1911. Feel free to comment on the PR if anything's inaccurate or missing, thanks!

Commented about affected versions and platforms. Thanks for putting this up!

Based on https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md#optional-steps:

  • We should definitely yank all old versions of the crate. (They will still be fetched if folks have a pinned Cargo.lock.)

From https://doc.rust-lang.org/cargo/commands/cargo-yank.html#when-to-yank:

Crates should only be yanked in exceptional circumstances, for example, an accidental publish, an unintentional SemVer breakages, or a significantly broken and unusable crate. In the case of security vulnerabilities, RustSec is typically a less disruptive mechanism to inform users and encourage them to upgrade, and avoids the possibility of significant downstream disruption irrespective of susceptibility to the vulnerability in question.

At least to me, it sounds like the general guidance is to not yank the versions in this scenario.

@sunshowers sunshowers mentioned this issue Mar 5, 2024
Open
@sunshowers
Copy link

Strange re yanking: filed rustsec/advisory-db#1914 about that. Thanks for catching this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sunshowers @AldaronLau