Bug 1180577 (CVE-2020-35919) - VUL-0: CVE-2020-35919: rust: An issue with the the std::net::SocketAddr memory representation was discovered in the net2 crate before 0.2.36 for Rust.
Summary: VUL-0: CVE-2020-35919: rust: An issue with the the std::net::SocketAddr memor...
Status: RESOLVED INVALID
Alias: CVE-2020-35919
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: William Brown
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/274405/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-35919:5.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-05 13:17 UTC by Robert Frohl
Modified: 2022-10-26 14:15 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-01-05 13:17:23 UTC 
CVE-2020-35919

An issue was discovered in the net2 crate before 0.2.36 for Rust. It has false
expectations about the std::net::SocketAddr memory representation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35919
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35919
https://rustsec.org/advisories/RUSTSEC-2020-0078.html
Comment 1 Robert Frohl 2021-01-05 13:18:00 UTC 
rust embeds net2 0.2.33, tracking these codestreams as affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust
Comment 2 Scott Reeves 2021-03-02 18:40:46 UTC 
Can you take this Federico...
Comment 5 Thomas Leroy 2022-08-31 13:37:08 UTC 
Reassigning to William.
Again, seems that this affects a provided crate but not rust itself.
Comment 6 William Brown 2022-09-01 03:49:48 UTC 
No packages are affected by this vulnerability, this can be closed.
Comment 9 Carlos López 2022-10-26 14:15:41 UTC 
There was no separate advisory for the Rust toolchain, so it is not affected.

None of the Rust packages we ship embed net2 on version 0.2.36 or lower, so nothing to fix. Closing.