-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Informational advisory for SergioBenitez/Rocket#1312 #320
Conversation
I'm not sure how to represent |
I don't think Although @SergioBenitez said "I am happy to have a RustSec advisory filed", I wonder, should this advisory be |
I consider the severity of this bug is somewhere between low to medium according to npm's scale. There is an ongoing discussion in #313 to determine the boundary between informational advisories and security advisories, and we can decide which type of advisory to file based on where the discussion settle on. I'm also fine with filing an "unsound" informational advisory first and later considering an upgrade. Thank you for your feedback on the path question. I'll wait and see if any maintainer can confirm that. |
Okay, then I suppose I misunderstood the sentences—
—as having meant "This doesn't seem important as a security bug, but it should have an advisory as a soundness bug"; I apologize for the misunderstanding. Personally I don't mind being notified about the bug regardless of which type it is, and, with your meaning clarified, I make no objection to (and, either way, my approval is not needed for) filing the advisory without the |
The bug was reported before the existence of unsound informational advisory, so I was not particularly relating the report to the unsound advisory at that time. (I'm not against making the advisory informational, just clarification) |
The APIs exposed by the Nevertheless, these APIs are not concretely restricted to testing environments only, and so there exists a possibility, even if remote, that the APIs find themselves in use in a vulnerable path. However, in such a path, a Certainly, the implementation was unsound. However, based on the reasoning above, no inherent security vulnerability can arise from documented, expected, or probable use of the APIs. As such, I would advocate for publication as an informational advisory. |
Thank you for the comment, @SergioBenitez. I've fixed the function path and made the advisory informational. |
Apologies for overlooking this PR. It's merged now. |
The affected version of
rocket
contains aClone
trait implementation ofLocalRequest
that reuses the pointer to innerRequest
object. This causes data race in rare combinations of APIs if the original and the cloned objects are modified at the same time.rwf2/Rocket#1312