Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Undefined behavior in Rand #149

Merged
merged 8 commits into from Jul 24, 2020
Merged

Undefined behavior in Rand #149

Changes from 4 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d59af0f
Undefined behavior in rand_core
vks Sep 4, 2019
3a9d04b
Undefined behavior in rand
vks Sep 4, 2019
4f61057
Make Rand advisories informational
vks Jun 24, 2020
f4a382d
Don't mention violations of pointer provenance rules
vks Jun 30, 2020
8125b66
Flaws -> flaw
vks Jun 30, 2020
55fe596
rand_core: fix formatting
tarcieri Jul 24, 2020
264c4a7
Fix TOML table formatting
tarcieri Jul 24, 2020
128e7df
Fix versions TOML
tarcieri Jul 24, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 15 additions & 0 deletions crates/rand_core/RUSTSEC-0000-0000.toml
View file
Open in desktop
@@ -0,0 +1,15 @@
[advisory]
id = "RUSTSEC-0000-0000"
package = "rand_core"
date = "2019-04-19"
informational = "unsound"
title = "Unaligned memory access"
description = """
Affected versions of this crate violated alignment when casting byte slices to
integer slices, resulting in undefined behavior.

The flaws were corrected by Ralf Jung and Diggory Hardy.
vks marked this conversation as resolved.
Show resolved Hide resolved
"""
patched_versions = [">= 0.4.2"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't look like the right toml format (maybe it changed); see https://github.com/RustSec/advisory-db#advisory-format.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vks that is probably also the cause of the CI failure, though the message is quite cryptic:

error: error loading advisory DB repo from .: RustSec error: parse error: missing field `versions` at line 1 column 1

url = "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
affected_functions = ["rand_core::BlockRng::next_u64", "rand_core::BlockRng::fill_bytes"]