Bug 1183403 (CVE-2021-25900)

Summary: VUL-0: CVE-2021-25900: rust,librsvg: heap-based buffer overflow in SmallVec:insert_many
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: William Brown <william.brown>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: federico, ngompa13, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/276552/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-25900:7.4:(AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2021-03-11 15:37:34 UTC 
rh#1936943

An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.

Reference:
https://rustsec.org/advisories/RUSTSEC-2021-0003.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1936943
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25900
https://rustsec.org/advisories/RUSTSEC-2021-0003.html
Comment 1 Robert Frohl 2021-03-11 15:40:25 UTC 
adding a opensuse bugowner (sorry there will be quite a few of these bugs).
Comment 2 Robert Frohl 2021-03-11 15:42:09 UTC 
rust embeds smallvec and smallvec-0.6.10 , therefor these codestreams are affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust
Comment 3 Federico Mena Quintero 2021-04-23 16:39:33 UTC 
https://build.suse.de/request/show/240147 takes care of this for librsvg in SUSE:SLE-15-SP2:Update.
Comment 4 Swamp Workflow Management 2021-04-28 19:16:27 UTC 
SUSE-SU-2021:1408-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1183403
CVE References: CVE-2021-25900
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    librsvg-2.46.5-3.3.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    librsvg-2.46.5-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    librsvg-2.46.5-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    librsvg-2.46.5-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-05-01 01:19:05 UTC 
openSUSE-SU-2021:0634-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1183403
CVE References: CVE-2021-25900
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    librsvg-2.46.5-lp152.2.3.1
Comment 6 Robert Frohl 2022-01-21 12:39:35 UTC 
smallvec was updated to 0.6.14 and 1.6.1 with rust version 1.52 (via 93c8ebe022d0eac6fb02848dc85f003cf7b7503c)
Comment 7 Robert Frohl 2022-01-21 12:40:58 UTC 
(In reply to Robert Frohl from comment #6)
> smallvec was updated to 0.6.14 and 1.6.1 with rust version 1.52 (via
> 93c8ebe022d0eac6fb02848dc85f003cf7b7503c)

Which means SLE15-SP3 is not affected, because rust1.43 is out of support.
SLE15 and SLE15-SP1 are now on 1.53.
Comment 8 Robert Frohl 2022-01-21 12:41:08 UTC 
closing