Skip to content

Commit

Permalink
Migrate all advisories to V2 format (closes #228)
Browse files Browse the repository at this point in the history
As announced in #228, this commit migrates all advisories to the new V2
format, which splits version information into a separate section, and
now has a structure which corresponds to the internal code structure of
the `rustsec` crate.

This is a breaking change for users of `cargo-audit` < 0.9, and anyone
who has written a 3rd party advisory format parser.
  • Loading branch information
tarcieri committed Mar 1, 2020
1 parent c54e93a commit 64c17ac
Show file tree
Hide file tree
Showing 67 changed files with 325 additions and 223 deletions.
31 changes: 16 additions & 15 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,21 +43,6 @@ date = "2019-10-01"
# Single-line description of a vulnerability (mandatory)
title = "Flaw in X allows Y"

# Enter a short-form description of the vulnerability here (mandatory)
description = """
Affected versions of this crate did not properly X.
This allows an attacker to Y.
The flaw was corrected by Z.
"""

# Versions which include fixes for this vulnerability (mandatory)
patched_versions = [">= 1.2.0"]

# Versions which were never vulnerable (optional)
#unaffected_versions = ["< 1.1.0"]

# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
# a change log entry, or a blogpost announcing the release (optional)
url = "https://github.com/mystuff/mycrate/issues/123"
Expand All @@ -78,6 +63,15 @@ keywords = ["ssl", "mitm"]
# e.g. CVE for a C library wrapped by a -sys crate)
#references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]

# Enter a short-form description of the vulnerability here (mandatory)
description = """
Affected versions of this crate did not properly X.
This allows an attacker to Y.
The flaw was corrected by Z.
"""

# Optional: metadata which narrows the scope of what this advisory affects
[affected]
# CPU architectures impacted by this vulnerability (optional).
Expand All @@ -100,6 +94,13 @@ keywords = ["ssl", "mitm"]
# The path syntax is `cratename::path::to::function`, without any
# parameters or additional information, followed by a list of version reqs.
functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] }

# Versions which include fixes for this vulnerability (mandatory)
[versions]
patched = [">= 1.2.0"]

# Versions which were never vulnerable (optional)
#unaffected = ["< 1.1.0"]
```

## License
Expand Down
8 changes: 5 additions & 3 deletions crates/ammonia/RUSTSEC-2019-0001.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id = "RUSTSEC-2019-0001"
package = "ammonia"
date = "2019-04-27"
title = "Uncontrolled recursion leads to abort in HTML serialization"
url = "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
keywords = ["stack-overflow", "crash"]
description = """
Affected versions of this crate did use recursion for serialization of HTML
DOM trees.
Expand All @@ -12,11 +14,11 @@ a pathologically nested input.
The flaw was corrected by serializing the DOM tree iteratively instead.
"""
patched_versions = [">= 2.1.0"]
url = "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
keywords = ["stack-overflow", "crash"]

[affected.functions]
"ammonia::clean" = ["< 2.1.0"]
"ammonia::Document::to_string" = ["< 2.1.0"]
"ammonia::Document::write_to" = ["< 2.1.0"]

[versions]
patched = [">= 2.1.0"]
12 changes: 7 additions & 5 deletions crates/arrayfire/RUSTSEC-2018-0011.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ id = "RUSTSEC-2018-0011"
package = "arrayfire"
date = "2018-12-18"
title = "Enum repr causing potential memory corruption"
url = "https://github.com/arrayfire/arrayfire-rust/pull/177"
categories = ["memory-corruption"]
keywords = ["enum", "repr"]
description = """
The attribute repr() added to enums to be compatible with C-FFI caused
memory corruption on MSVC toolchain.
Expand All @@ -15,11 +18,10 @@ The issue seems to be interlinked with which version of Rust is being used.
The issue was fixed in crate 3.6.0.
"""
patched_versions = [">= 3.6.0"]
unaffected_versions = ["<= 3.5.0"]
url = "https://github.com/arrayfire/arrayfire-rust/pull/177"
categories = ["memory-corruption"]
keywords = ["enum", "repr"]

[versions]
patched = [">= 3.6.0"]
unaffected = ["<= 3.5.0"]

[affected]
arch = ["x86_64"]
Expand Down
13 changes: 4 additions & 9 deletions crates/asn1_der/RUSTSEC-2019-0007.toml
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
[advisory]
id = "RUSTSEC-2019-0007"

package = "asn1_der"

date = "2019-06-13"

title = "Processing of maliciously crafted length fields causes memory allocation SIGABRTs"

url = "https://github.com/KizzyCode/asn1_der/issues/1"
keywords = ["dos"]
description = """
Affected versions of this crate tried to preallocate a vector for an arbitrary amount of bytes announced by the ASN.1-DER length field without further checks.
Expand All @@ -15,8 +13,5 @@ This allows an attacker to trigger a SIGABRT by creating length fields that anno
The flaw was corrected by not preallocating memory.
"""

patched_versions = [">= 0.6.2"]

url = "https://github.com/KizzyCode/asn1_der/issues/1"

keywords = ["dos"]
[versions]
patched = [">= 0.6.2"]
4 changes: 3 additions & 1 deletion crates/base64/RUSTSEC-2017-0004.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ package = "base64"
date = "2017-05-03"
url = "https://github.com/alicemaz/rust-base64/commit/24ead980daf11ba563e4fb2516187a56a71ad319"
title = "Integer overflow leads to heap-based buffer overflow in encode_config_buf"
patched_versions = [">= 0.5.2"]
keywords = ["memory-corruption"]
aliases = ["CVE-2017-1000430"]
description = """
Expand All @@ -19,3 +18,6 @@ and possibly the execution of arbitrary code.
This flaw was corrected by using checked arithmetic to calculate
the size of the buffer.
"""

[versions]
patched = [">= 0.5.2"]
8 changes: 5 additions & 3 deletions crates/blake2/RUSTSEC-2019-0019.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id = "RUSTSEC-2019-0019"
package = "blake2"
date = "2019-08-25"
title = "HMAC-BLAKE2 algorithms compute incorrect results"
url = "https://github.com/RustCrypto/MACs/issues/19"
categories = ["crypto-failure"]
description = """
When used in conjunction with the Hash-based Message Authentication Code (HMAC),
the BLAKE2b and BLAKE2s implementations in `blake2` crate versions prior to
Expand All @@ -15,6 +17,6 @@ The v0.8.1 release of the `blake2` crate uses the correct block sizes.
Note that this advisory only impacts usage of BLAKE2 with HMAC, and does not
impact `Digest` functionality.
"""
patched_versions = [">= 0.8.1"]
url = "https://github.com/RustCrypto/MACs/issues/19"
categories = ["crypto-failure"]

[versions]
patched = [">= 0.8.1"]
6 changes: 4 additions & 2 deletions crates/cassandra/RUSTSEC-2016-0006.toml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ title = "`cassandra` crate is unmaintained; use `cassandra-cpp` instead"
informational = "unmaintained"
date = "2016-12-15"
url = "https://github.com/tupshin/cassandra-rs/issues/52"
unaffected_versions = ["> 0.8.1"] # last release
patched_versions = []
description = """
The `cassandra` crate has not seen a release since December 2016, and its author
is unresponsive.
Expand All @@ -15,3 +13,7 @@ The `cassandra-cpp` crate is a maintained fork:
https://github.com/Metaswitch/cassandra-rs
"""

[versions]
patched = []
unaffected = ["> 0.8.1"] # last release
8 changes: 5 additions & 3 deletions crates/chacha20/RUSTSEC-2019-0029.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id = "RUSTSEC-2019-0029"
package = "chacha20"
date = "2019-10-22"
title = "ChaCha20 counter overflow can expose repetitions in the keystream"
url = "https://github.com/RustCrypto/stream-ciphers/pull/64"
categories = ["crypto-failure"]
description = """
The ChaCha20 stream cipher can produce a maximum of 2^32 blocks (~256GB)
before the 32-bit counter overflows. Releases of the `chacha20` crate prior
Expand All @@ -18,6 +20,6 @@ Users of the `chacha20poly1305` crate are unaffected by this as this crate
properly asserts the length of the plaintext is less than the maximum allowed
(`P_MAX` as described in RFC 8439 Section 2.8).
"""
patched_versions = [">= 0.2.3"]
url = "https://github.com/RustCrypto/stream-ciphers/pull/64"
categories = ["crypto-failure"]

[versions]
patched = [">= 0.2.3"]
6 changes: 4 additions & 2 deletions crates/chan/RUSTSEC-2018-0014.toml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ title = "chan is end-of-life; use crossbeam-channel instead"
informational = "unmaintained"
date = "2018-07-31"
url = "https://github.com/BurntSushi/chan/commit/0a5c0d4ad4adc90a54ee04a427389acf2e157275"
unaffected_versions = ["> 0.1.23"] # last release
patched_versions = []
description = """
**`chan` has reached its end-of-life and is now deprecated.**
Expand All @@ -16,3 +14,7 @@ Its API is strikingly similar, but comes with a much better `select!` macro,
better performance, a better test suite and an all-around better
implementation.
"""

[versions]
unaffected = ["> 0.1.23"] # last release
patched = []
6 changes: 4 additions & 2 deletions crates/chttp/RUSTSEC-2019-0016.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@ or be exploited to cause undefined behavior.
A fix was published in version 0.1.3.
"""
patched_versions = [">= 0.1.3"]
unaffected_versions = ["< 0.1.1"]
url = "https://github.com/sagebind/isahc/issues/2"
keywords = ["memory-management", "memory-corruption"]

[versions]
patched = [">= 0.1.3"]
unaffected = ["< 0.1.1"]
8 changes: 5 additions & 3 deletions crates/claxon/RUSTSEC-2018-0004.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id = "RUSTSEC-2018-0004"
package = "claxon"
date = "2018-08-25"
title = "Malicious input could cause uninitialized memory to be exposed"
url = "https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c"
keywords = ["uninitialized-memory"]
description = """
Affected versions of Claxon made an invalid assumption about the decode buffer
size being a multiple of a value read from the bitstream. This could cause parts
Expand All @@ -17,6 +19,6 @@ the decode buffer size, and returning a format error if it does not. If an error
is returned, the decode buffer is not exposed. Regression tests and an
additional fuzzer have been added to prevent similar flaws in the future.
"""
patched_versions = ["=0.3.2", ">= 0.4.1"]
url = "https://github.com/ruuda/claxon/commit/8f28ec275e412dd3af4f3cda460605512faf332c"
keywords = ["uninitialized-memory"]

[versions]
patched = ["=0.3.2", ">= 0.4.1"]
10 changes: 6 additions & 4 deletions crates/compact_arena/RUSTSEC-2019-0015.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ id = "RUSTSEC-2019-0015"
package = "compact_arena"
date = "2019-05-21"
title = "Flaw in generativity allows out-of-bounds access"
url = "https://github.com/llogiq/compact_arena/issues/22"
categories = ["memory-corruption"]
keywords = ["uninitialized-memory"]
description = """
Affected versions of this crate did not properly implement the generativity,
because the invariant lifetimes were not necessarily `drop`ped.
Expand All @@ -13,10 +16,9 @@ access into the memory reserved for the arena.
The flaw was corrected by implementing generativity correctly in version 0.4.0.
"""
patched_versions = [">= 0.4.0"]
url = "https://github.com/llogiq/compact_arena/issues/22"
categories = ["memory-corruption"]
keywords = ["uninitialized-memory"]

[affected.functions]
"compact_arena::SmallArena::new" = ["< 0.4.0"]

[versions]
patched = [">= 0.4.0"]
4 changes: 3 additions & 1 deletion crates/cookie/RUSTSEC-2017-0005.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
[advisory]
id = "RUSTSEC-2017-0005"
package = "cookie"
patched_versions = ["< 0.6.0", "^0.6.2", ">= 0.7.6"]
keywords = ["crash"]
url = "https://github.com/alexcrichton/cookie-rs/pull/86"
title = "Large cookie Max-Age values can cause a denial of service"
Expand All @@ -15,3 +14,6 @@ will panic if the value is greater than 2^64/1000 and less than or equal to
This flaw was corrected by explicitly checking for the `Max-Age` being in this
integer range and clamping the value to the maximum duration value.
"""

[versions]
patched = ["< 0.6.0", "^0.6.2", ">= 0.7.6"]
10 changes: 6 additions & 4 deletions crates/crossbeam/RUSTSEC-2018-0009.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id = "RUSTSEC-2018-0009"
package = "crossbeam"
date = "2018-12-09"
title = "MsQueue and SegQueue suffer from double-free"
url = "https://github.com/crossbeam-rs/crossbeam-epoch/issues/82"
keywords = ["concurrency", "memory-management", "memory-corruption"]
description = """
Even if an element is popped from a queue, crossbeam would run its
destructor inside the epoch-based garbage collector. This is a source
Expand All @@ -13,7 +15,7 @@ The flaw was corrected by wrapping elements inside queues in a
Thanks to @c0gent for reporting the issue.
"""
patched_versions = [">= 0.4.1"]
unaffected_versions = ["< 0.4.0"]
url = "https://github.com/crossbeam-rs/crossbeam-epoch/issues/82"
keywords = ["concurrency", "memory-management", "memory-corruption"]

[versions]
patched = [">= 0.4.1"]
unaffected = ["< 0.4.0"]
6 changes: 4 additions & 2 deletions crates/crust/RUSTSEC-2019-0032.toml
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@ title = "crust repo has been archived; use libp2p instead"
informational = "unmaintained"
date = "2019-11-21"
url = "https://github.com/maidsafe/crust"
unaffected_versions = ["> 0.32.1"] # last release
patched_versions = []
description = """
** The `crust` crate repo was archived with no warning or explanation.**
Given that it was archived with no warning or successor, there's not an
official replacement but [`rust-libp2p`](https://github.com/libp2p/rust-libp2p)
looks like it's got a similar feature set and is actively maintained.
"""

[versions]
unaffected = ["> 0.32.1"] # last release
patched = []
10 changes: 6 additions & 4 deletions crates/flatbuffers/RUSTSEC-2019-0028.toml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
[advisory]
id = "RUSTSEC-2019-0028"
package = "flatbuffers"
patched_versions = []
unaffected_versions = ["< 0.4.0"]
date = "2019-10-20"
url = "https://github.com/google/flatbuffers/issues/5530"
title = "Unsound `impl Follow for bool`"
Expand All @@ -13,5 +11,9 @@ In Rust `bool` has stringent requirements for its in-memory representation. Use
allows to violate these requirements and invoke undefined behaviour in safe code.
"""

[affected]
functions = { "flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"] }
[affected.functions]
"flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"]

[versions]
patched = []
unaffected = ["< 0.4.0"]
8 changes: 5 additions & 3 deletions crates/generator/RUSTSEC-2019-0020.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id = "RUSTSEC-2019-0020"
package = "generator"
date = "2019-09-06"
title = "fix unsound APIs that could lead to UB"
url = "https://github.com/Xudong-Huang/generator-rs/issues/9"
keywords = ["memory-corruption"]
description = """
Affected versions of this crate API could use uninitialized memory with some APIs in special
cases, like use the API in none generator context. This could lead to UB.
Expand All @@ -12,6 +14,6 @@ The flaw was corrected by <https://github.com/Xudong-Huang/generator-rs/issues/9
<https://github.com/Xudong-Huang/generator-rs/issues/14>
This patch fixes all those issues above.
"""
patched_versions = [">= 0.6.18"]
url = "https://github.com/Xudong-Huang/generator-rs/issues/9"
keywords = ["memory-corruption"]

[versions]
patched = [">= 0.6.18"]
10 changes: 6 additions & 4 deletions crates/http/RUSTSEC-2019-0033.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ id = "RUSTSEC-2019-0033"
package = "http"
date = "2019-11-16"
title = "Integer Overflow in HeaderMap::reserve() can cause Denial of Service"
url = "https://github.com/hyperium/http/issues/352"
categories = ["denial-of-service"]
keywords = ["http", "integer-overflow", "DoS"]
description = """
`HeaderMap::reserve()` used `usize::next_power_of_two()` to calculate the increased capacity.
However, `next_power_of_two()` silently overflows to 0 if given a sufficently large number
Expand All @@ -15,10 +18,9 @@ to cause a potential denial of service (DoS).
The flaw was corrected in 0.1.20 release of `http` crate.
"""
patched_versions = [">= 0.1.20"]
url = "https://github.com/hyperium/http/issues/352"
categories = ["denial-of-service"]
keywords = ["http", "integer-overflow", "DoS"]

[affected.functions]
"http::header::HeaderMap::reserve" = ["< 0.1.20"]

[versions]
patched = [">= 0.1.20"]
Loading

0 comments on commit 64c17ac

Please sign in to comment.