Bug 1184603 (CVE-2021-28878) - VUL-0: CVE-2021-28878: rust: memory safety violation in the Zip implementation related to next_back() and next()
Summary: VUL-0: CVE-2021-28878: rust: memory safety violation in the Zip implementati...
Status: RESOLVED FIXED
Alias: CVE-2021-28878
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: William Brown
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/281615/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-28878:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-12 09:37 UTC by Robert Frohl
Modified: 2022-01-21 12:57 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
QA reproducer (424 bytes, text/rust)
2021-04-12 11:31 UTC, Robert Frohl 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-04-12 09:37:08 UTC 
CVE-2021-28878

In the standard library in Rust before 1.52.0, the Zip implementation calls
__iterator_get_unchecked() more than once for the same index (under certain
conditions) when next_back() and next() are used together. This bug could lead
to a memory safety violation due to an unmet safety requirement for the
TrustedRandomAccess trait.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28878
https://github.com/rust-lang/rust/issues/82291
https://github.com/rust-lang/rust/pull/82292
Comment 1 Robert Frohl 2021-04-12 11:21:09 UTC 
tracking as affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust

also still a problem in openSUSE:Factory
Comment 2 Robert Frohl 2021-04-12 11:31:15 UTC 
Created attachment 848244 [details]
QA reproducer

> rustc CVE-2021-28878.rs && ./CVE-2021-28878

strange, changing output like 'z4' or no text at all. Fixed rust should return 'aaaa', see [0].

[0] https://play.rust-lang.org/?version=nightly&mode=release&edition=2018&gist=196385a61f316746f71e9a59aa68d6e7
Comment 3 William Brown 2021-06-01 01:24:06 UTC 
openSUSE:Factory should be resolved now, as we have updated to 1.52.0.

For SLE-15/SLE-15-SP1 I'm not sure of the best approach here. This issue in zip is a really really really niche case, that requires someone to have used zip in a really weird way.

We can't update to 1.52 in SLE-15 right now because of the requirements of firefox to be on 1.43 (I think it is). in SP4 we are aiming to move to parallel rust versions https://en.opensuse.org/Parallel_Rust_Versions_Roadmap which will mean we can have > 1.52 for almost everything except firefox. 


I think that this is a really low risk issue. I think I'd want to see evidence of the incorrect usage of zip in the calling application, and then we can decide to backport to rust or if we just patch the affected libraries instead. 

i.e. it would be a lot of work to resolve this, for an issue that is extremely unlikely to be hit outside of pathological cases.
Comment 4 Robert Frohl 2022-01-21 12:57:16 UTC 
Does not affect any supported version anymore. Updated tracking. Closing