Bug 1184603 (CVE-2021-28878)

Summary: VUL-0: CVE-2021-28878: rust: memory safety violation in the Zip implementation related to next_back() and next()
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: William Brown <william.brown>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: federico, i.gnatenko.brain, smash_bz, william.brown
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/281615/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-28878:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: QA reproducer

Description Robert Frohl 2021-04-12 09:37:08 UTC 
CVE-2021-28878

In the standard library in Rust before 1.52.0, the Zip implementation calls
__iterator_get_unchecked() more than once for the same index (under certain
conditions) when next_back() and next() are used together. This bug could lead
to a memory safety violation due to an unmet safety requirement for the
TrustedRandomAccess trait.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28878
https://github.com/rust-lang/rust/issues/82291
https://github.com/rust-lang/rust/pull/82292
Comment 1 Robert Frohl 2021-04-12 11:21:09 UTC 
tracking as affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust

also still a problem in openSUSE:Factory
Comment 2 Robert Frohl 2021-04-12 11:31:15 UTC 
Created attachment 848244 [details]
QA reproducer

> rustc CVE-2021-28878.rs && ./CVE-2021-28878

strange, changing output like 'z4' or no text at all. Fixed rust should return 'aaaa', see [0].

[0] https://play.rust-lang.org/?version=nightly&mode=release&edition=2018&gist=196385a61f316746f71e9a59aa68d6e7
Comment 3 William Brown 2021-06-01 01:24:06 UTC 
openSUSE:Factory should be resolved now, as we have updated to 1.52.0.

For SLE-15/SLE-15-SP1 I'm not sure of the best approach here. This issue in zip is a really really really niche case, that requires someone to have used zip in a really weird way.

We can't update to 1.52 in SLE-15 right now because of the requirements of firefox to be on 1.43 (I think it is). in SP4 we are aiming to move to parallel rust versions https://en.opensuse.org/Parallel_Rust_Versions_Roadmap which will mean we can have > 1.52 for almost everything except firefox. 


I think that this is a really low risk issue. I think I'd want to see evidence of the incorrect usage of zip in the calling application, and then we can decide to backport to rust or if we just patch the affected libraries instead. 

i.e. it would be a lot of work to resolve this, for an issue that is extremely unlikely to be hit outside of pathological cases.
Comment 4 Robert Frohl 2022-01-21 12:57:16 UTC 
Does not affect any supported version anymore. Updated tracking. Closing