From 3b810f1c13e19700584aae32e9c067c79e762dc1 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Fri, 19 Jul 2019 21:35:39 +0200 Subject: [PATCH 1/2] Add advisory for smallvec issue #149 --- crates/smallvec/RUSTSEC-0000-0000.toml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 crates/smallvec/RUSTSEC-0000-0000.toml diff --git a/crates/smallvec/RUSTSEC-0000-0000.toml b/crates/smallvec/RUSTSEC-0000-0000.toml new file mode 100644 index 000000000..4b38c6993 --- /dev/null +++ b/crates/smallvec/RUSTSEC-0000-0000.toml @@ -0,0 +1,17 @@ +[advisory] +id = "RUSTSEC-0000-0009" +package = "smallvec" +date = "2019-07-19" +title = "Memory corruption in SmallVec::grow()" +description = """ +Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures. + +An attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution. + +Credits to @ehuss for discovering, reporting and fixing the bug. +""" +patched_versions = [">= 0.6.10"] +unaffected_versions = ["< 0.6.3"] +url = "https://github.com/servo/rust-smallvec/issues/149" +keywords = ["memory corruption", "arbitrary code execution"] +affected_functions = ["smallvec::SmallVec::grow"] From 150700481bc190d0ecc46783b2b03d05dc2be0e4 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Fri, 19 Jul 2019 21:45:40 +0200 Subject: [PATCH 2/2] Update RUSTSEC-0000-0000.toml --- crates/smallvec/RUSTSEC-0000-0000.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/smallvec/RUSTSEC-0000-0000.toml b/crates/smallvec/RUSTSEC-0000-0000.toml index 4b38c6993..3444143d3 100644 --- a/crates/smallvec/RUSTSEC-0000-0000.toml +++ b/crates/smallvec/RUSTSEC-0000-0000.toml @@ -1,5 +1,5 @@ [advisory] -id = "RUSTSEC-0000-0009" +id = "RUSTSEC-0000-0000" package = "smallvec" date = "2019-07-19" title = "Memory corruption in SmallVec::grow()"