Bug 1184600 (CVE-2021-28877) - VUL-0: CVE-2021-28877: rust: memory safety violation in the Zip implementation for nested iter::Zips
Summary: VUL-0: CVE-2021-28877: rust: memory safety violation in the Zip implementatio...
Status: RESOLVED FIXED
Alias: CVE-2021-28877
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: William Brown
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/281614/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-28877:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-12 08:57 UTC by Robert Frohl
Modified: 2022-01-21 12:54 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-04-12 08:57:04 UTC 
CVE-2021-28877

In the standard library in Rust before 1.51.0, the Zip implementation calls
__iterator_get_unchecked() for the same index more than once when nested. This
bug can lead to a memory safety violation due to an unmet safety requirement for
the TrustedRandomAccess trait.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28877
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28877
https://github.com/rust-lang/rust/pull/80670
Comment 1 Robert Frohl 2021-04-12 09:33:05 UTC 
tracking as affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust

already fixed in openSUSE:Factory
Comment 2 Robert Frohl 2022-01-21 12:54:59 UTC 
Does not affect any supported version anymore. Updated tracking. Closing