Fedora 32: 2021-d7f74f0250 Critical: Rust Memory Safety Issues

Rust is a systems programming language that runs blazingly fast, prevents

segfaults, and guarantees thread safety.

This package includes the Rust compiler and documentation generator.

Security fixes for CVE-2020-36323, CVE-2021-28876, CVE-2021-28878,

CVE-2021-28879, and CVE-2021-31162. These are memory safety bugs in the Rust

standard library. Because it is statically linked, affected applications will

need to be rebuilt to benefit from the fixes. The actual security implications

will depend on how these APIs are used in each particular case.

* Fri Apr 16 2021 Josh Stone - 1.51.0-3

- Security fixes for CVE-2020-36323, CVE-2021-31162

* Wed Apr 14 2021 Josh Stone - 1.51.0-2

- Security fixes for CVE-2021-28876, CVE-2021-28878, CVE-2021-28879

- Fix bootstrap for stage0 rust 1.51

[ 1 ] Bug #1949198 - CVE-2021-28876 rust: panic safety issue in Zip implementation

https://bugzilla.redhat.com/show_bug.cgi?id=1949198

[ 2 ] Bug #1949207 - CVE-2021-28878 rust: memory safety violation in Zip implementation when next_back() and next() are used together

https://bugzilla.redhat.com/show_bug.cgi?id=1949207

[ 3 ] Bug #1949211 - CVE-2021-28879 rust: integer overflow in the Zip implementation can lead to a buffer overflow

https://bugzilla.redhat.com/show_bug.cgi?id=1949211

[ 4 ] Bug #1950396 - CVE-2020-36323 rust: optimization for joining strings can cause uninitialized bytes to be exposed

https://bugzilla.redhat.com/show_bug.cgi?id=1950396

[ 5 ] Bug #1950398 - CVE-2021-31162 rust: double free in Vec::from_iter function if freeing the element panics

https://bugzilla.redhat.com/show_bug.cgi?id=1950398

su -c 'dnf upgrade --advisory FEDORA-2021-d7f74f0250' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure