Bug 1180578 (CVE-2019-25009) - VUL-0: CVE-2019-25009: rust: An issue related to the HeaderMap::Drain API was discovered in the http crate before 0.1.20 for Rust.
Summary: VUL-0: CVE-2019-25009: rust: An issue related to the HeaderMap::Drain API was...
Status: RESOLVED INVALID
Alias: CVE-2019-25009
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: William Brown
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/274329/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-25009:5.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-05 13:19 UTC by Robert Frohl
Modified: 2022-10-26 14:18 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-01-05 13:19:48 UTC 
CVE-2019-25009

An issue was discovered in the http crate before 0.1.20 for Rust. The
HeaderMap::Drain API can use a raw pointer, defeating soundness.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-25009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25009
https://rustsec.org/advisories/RUSTSEC-2019-0034.html
Comment 1 Robert Frohl 2021-01-05 13:20:35 UTC 
rust embeds http 0.1.19, tracking these codestreams as affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust
Comment 2 Scott Reeves 2021-03-02 18:40:52 UTC 
Can you take this Federico...
Comment 5 Thomas Leroy 2022-08-31 13:40:37 UTC 
Reassigning to William
Comment 6 William Brown 2022-09-01 03:11:51 UTC 
No packages are affected by this vulnerability, so this can be closed.
Comment 9 Carlos López 2022-10-26 14:18:04 UTC 
There was no separate advisory for the Rust toolchain, so it is not affected.

None of the Rust packages we ship embed http with a version below 0.1.20, so nothing to fix. Closing.