GNU bug report logs - #47544
rust-slice-deque is vulnerable to CVE-2021-29938

Previous Next

To reply to this bug, email your comments to 47544 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: rust-slice-deque is vulnerable to CVE-2021-29938
Date: Thu, 01 Apr 2021 16:08:47 +0200

[Message part 1 (text/plain, inline)]

CVE-2021-29938	07:15
An issue was discovered in the slice-deque crate through 2021-02-19 for
Rust. A double drop can occur in SliceDeque::drain_filter upon a panic
in a predicate function.

Upstream PR: https://github.com/gnzlbg/slice_deque/pull/91

I suggest we wait for merge then update our package.

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 47544 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Cc: 47544 <at> debbugs.gnu.org
Subject: Re: bug#47544: rust-slice-deque is vulnerable to CVE-2021-29938
Date: Tue, 22 Mar 2022 22:39:11 -0400

Hello,

Léo Le Bouter <lle-bout <at> zaclys.net> writes:

> CVE-2021-29938	07:15
> An issue was discovered in the slice-deque crate through 2021-02-19 for
> Rust. A double drop can occur in SliceDeque::drain_filter upon a panic
> in a predicate function.
>
> Upstream PR: https://github.com/gnzlbg/slice_deque/pull/91

The project appears unmaintained [0].

[0]  https://github.com/gnzlbg/slice_deque/issues/94.

It's used by a couple other packages (how many?  hard to tell, this
being Rust in Guix).

Thanks,

Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.