Source: rustc Version: 1.14.0+dfsg1-3 Severity: important Tags: security stretch
Hi, Sergey (in CC) recently pointed out [0] that we are still shipping in Stretch i386 a version of the VecDeque (from the Rust stdlib) that can perform invalid out-of-bounds writes: https://github.com/rust-lang/rust/issues/44800 This is very likely exploitable (attacker-controlled data is written outside the buffer), and we (the rust team) think it would be worth fixing ASAP. Thankfully, there is already a more recent version for amd64 in stretch, and 1.24.1+dfsg1-1~deb9u3 is already in stretch-pu for i386 (plus a bunch of architectures which did not previously have rustc). The fix first appeared in upstream release 1.21.0 (Oct 2017). Would it be possible to turn it into a security upload, along with a binNMU of all packages that were built with rustc (<< 1.24.1) ? @Sergey: Thanks a lot for dedicating some of your time and energy to finding security issues in the Rust ecosystem, it is highly appreciated. :3 Best, nicoo [0]: https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6
signature.asc
Description: PGP signature
