Bug 1184602 (CVE-2021-28879) - VUL-0: CVE-2021-28879: rust: integer overflow in the Zip implementation
Summary: VUL-0: CVE-2021-28879: rust: integer overflow in the Zip implementation
Status: RESOLVED FIXED
Alias: CVE-2021-28879
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: William Brown
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/281616/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-28879:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-12 09:35 UTC by Robert Frohl
Modified: 2022-01-21 12:55 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-04-12 09:35:35 UTC 
CVE-2021-28879

In the standard library in Rust before 1.52.0, the Zip implementation can report
an incorrect size due to an integer overflow. This bug can lead to a buffer
overflow when a consumed Zip iterator is used again.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28879
https://github.com/rust-lang/rust/issues/82282
https://github.com/rust-lang/rust/pull/82289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28879
Comment 1 Robert Frohl 2021-04-12 09:48:04 UTC 
tracking as affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust

Also an issue for openSUSE:Factory/rust
Comment 2 Robert Frohl 2022-01-21 12:55:49 UTC 
Does not affect any supported version anymore. Updated tracking. Closing