Bug 1194119 (CVE-2021-45710)

Summary: VUL-1: CVE-2021-45710: rust1.55, rust1.53, rust1.56, rust, rust1.54, rust1.43: segmentation fault due to data race in tokio crate
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: E-mail List <gnome-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: alarrosa, dmitry, meissner, thomas.leroy, william.brown
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/319074/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-45710:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1203771, 1203772, 1203774    
Bug Blocks:    

Description Thomas Leroy 2021-12-28 17:00:59 UTC
CVE-2021-45710

An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through
1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed
oneshot channel, there is a data race and memory corruption.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45710
https://rustsec.org/advisories/RUSTSEC-2021-0124.html
https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tokio/RUSTSEC-2021-0124.md
Comment 1 Thomas Leroy 2021-12-28 17:10:14 UTC
After investigations, it seems that the following codestreams ship a vulnerable version of the tokio crate:

SUSE:SLE-15:Update/rust          tokio v0.2.24
SUSE:SLE-15-SP1:Update/rust      tokio v0.2.24
SUSE:SLE-15-SP3:Update/rust1.43  tokio v0.1.22
SUSE:SLE-15-SP3:Update/rust1.53  tokio v0.2.24
SUSE:SLE-15-SP3:Update/rust1.54  tokio v0.2.24
SUSE:SLE-15-SP3:Update/rust1.55  tokio v1.8.2
openSUSE:Factory/rust1.55        tokio v1.8.2
openSUSE:Factory/rust1.56        tokio v1.8.2
Comment 2 William Brown 2022-01-05 02:53:13 UTC
I have started an obs audit run to see what may be affected and will contact maintainers for updates.
Comment 3 William Brown 2022-01-06 05:40:46 UTC
- the following pkgs need SECURITY updates to address RUSTSEC-2021-0124
osc bco network:ldap/389-ds
osc bco devel:languages:rust/cargo-audit
osc bco devel:kubic:ignition/afterburn
osc bco network:utilities/rustscan
osc bco devel:languages:rust/sccache
osc bco X11:Wayland/tuigreet
osc bco devel:languages:rust/rustup
osc bco mozilla:Factory/mozjs78
osc bco utilities/tealdeer
osc bco GNOME:Apps/fractal
osc bco multimedia:apps/spotifyd
osc bco network:idm/kanidm
osc bco X11:Wayland/greetd


osc bco multimedia:libs/gstreamer-plugins-rs
osc bco devel:languages:rust/cargo-c
osc bco Publishing/svgcleaner
osc bco security/rsign2
osc bco devel:languages:rust/rust-packaging
osc bco multimedia:libs/rav1e
Comment 4 William Brown 2022-01-07 01:40:24 UTC
osc bco GNOME:Apps/fractal
osc bco mozilla:Factory/mozjs78

Will require the relevant maintainers to resolve. All others I have submitted updates or am about to submit updates for.
Comment 5 William Brown 2022-01-07 01:41:07 UTC
osc bco Publishing/svgcleaner

My apologies, wrong paste buffer. This is the only package that needs the maintainer to be contacted.
Comment 6 William Brown 2022-01-07 04:27:26 UTC
osc bco multimedia:libs/gstreamer-plugins-rs

Will also need the maintainer to be involved.
Comment 7 Thomas Leroy 2022-01-07 08:23:15 UTC
Thank you very much William for the investigation! So, only Publishing/svgcleaner and multimedia:libs/gstreamer-plugins-rs maintainers need to be contacted, right?
Comment 8 William Brown 2022-01-10 00:22:52 UTC
Yep, that's correct!
Comment 10 Thomas Leroy 2022-01-14 14:33:04 UTC
I can see that we ship gstreamer-plugins-rs only in openSUSE:Factory.
@Antonio, could it be possible to upgrade the tokio version of gstreamer-plugins-rs in openSUSE:Factory?

However, I can't see any track of tokio in svgcleaner, either in vendor and Cargo files. Are you sure William that svgcleaner is affected?
Comment 13 Antonio Larrosa 2022-01-17 16:11:50 UTC
(In reply to Thomas Leroy from comment #10)
> @Antonio, could it be possible to upgrade the tokio version of
> gstreamer-plugins-rs in openSUSE:Factory?
> 

Hi, I just submitted an update of gstreamer-plugins-rs (https://build.opensuse.org/request/show/947016) and it's now using tokio 1.15.0 instead of a mixture of tokio 0.2.13 and tokio 1.10.1 .

BTW, jfyi, I'll probably submit gstreamer-plugins-rs to SLE-15-SP4 soon, but if I do, I'll submit this new version so I don't think that will be a problem.
Comment 16 Marcus Meissner 2022-09-22 13:37:09 UTC
SUSE:SLE-15-SP3:Update,389-ds,tokio,1.15.0
SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,tokio,1.15.0
SUSE:SLE-15-SP3:Update,rustup,tokio,1.12.0
SUSE:SLE-15-SP3:Update,sccache,tokio,0.1.22
SUSE:SLE-15-SP3:Update,sccache,tokio,0.2.25
SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.0
SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.1
SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,tokio,1.15.0
SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,tokio,1.17.0
SUSE:SLE-15-SP4:Update,rustup,tokio,1.12.0
SUSE:SLE-15-SP4:Update,sccache,tokio,0.1.22
SUSE:SLE-15-SP4:Update,sccache,tokio,0.2.25
Comment 17 William Brown 2022-09-26 05:30:34 UTC
(In reply to Marcus Meissner from comment #16)

I am not the owner of the following, and their respective maintainers will need to be contacted to have these updated.

> SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,tokio,1.15.0
> SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,tokio,1.15.0
> SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,tokio,1.17.0

I am the owner of the following and will update them ASAP.

> SUSE:SLE-15-SP3:Update,389-ds,tokio,1.15.0
> SUSE:SLE-15-SP3:Update,rustup,tokio,1.12.0
> SUSE:SLE-15-SP3:Update,sccache,tokio,0.1.22
> SUSE:SLE-15-SP3:Update,sccache,tokio,0.2.25
> SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.0
> SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.1
> SUSE:SLE-15-SP4:Update,rustup,tokio,1.12.0
> SUSE:SLE-15-SP4:Update,sccache,tokio,0.1.22
> SUSE:SLE-15-SP4:Update,sccache,tokio,0.2.25
Comment 20 Marcus Meissner 2022-09-27 07:51:27 UTC
I opened seperate bugs for afterburn, aws-nitro-enclaves-cli and gstreamer-plugins-rs
Comment 27 Swamp Workflow Management 2022-11-11 20:48:33 UTC
SUSE-SU-2022:3949-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194119,1196972
CVE References: CVE-2021-45710,CVE-2022-24713
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    rustup-1.25.1~0-150300.7.13.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    rustup-1.25.1~0-150300.7.13.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-11-15 20:28:49 UTC
SUSE-SU-2022:3996-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (low)
Bug References: 1194119,1204493,1204748,1205146
CVE References: CVE-2021-45710
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    389-ds-2.0.16~git56.d15a0a7-150400.3.15.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    389-ds-2.0.16~git56.d15a0a7-150400.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2022-11-18 17:23:41 UTC
SUSE-SU-2022:4073-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1181400,1194119,1196972
CVE References: CVE-2021-45710,CVE-2022-24713
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    sccache-0.3.0~git5.14a4b8b-150300.7.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    sccache-0.3.0~git5.14a4b8b-150300.7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-11-18 23:28:24 UTC
SUSE-SU-2022:4124-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (low)
Bug References: 1194119,1204493,1204748,1205146
CVE References: CVE-2021-45710
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    389-ds-1.4.4.19~git59.136fc84-150300.3.27.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    389-ds-1.4.4.19~git59.136fc84-150300.3.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 39 Maintenance Automation 2023-09-05 12:41:52 UTC
SUSE-SU-2023:3526-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1181400, 1194119, 1196972, 1208553, 1212407
CVE References: CVE-2021-45710, CVE-2022-24713, CVE-2022-31394, CVE-2023-1521
Sources used:
openSUSE Leap 15.4 (src): sccache-0.4.2~3-150400.3.3.1
openSUSE Leap 15.5 (src): sccache-0.4.2~3-150400.3.3.1
Development Tools Module 15-SP4 (src): sccache-0.4.2~3-150400.3.3.1
Development Tools Module 15-SP5 (src): sccache-0.4.2~3-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 OBSbugzilla Bot 2023-12-18 09:35:05 UTC
This is an autogenerated message for OBS integration:
This bug (1194119) was mentioned in
https://build.opensuse.org/request/show/1133800 Backports:SLE-15-SP5 / kanidm
Comment 43 OBSbugzilla Bot 2024-06-13 05:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1194119) was mentioned in
https://build.opensuse.org/request/show/1180285 Backports:SLE-15-SP6 / kanidm
Comment 44 OBSbugzilla Bot 2024-08-07 07:05:03 UTC
This is an autogenerated message for OBS integration:
This bug (1194119) was mentioned in
https://build.opensuse.org/request/show/1192072 Backports:SLE-15-SP6 / kanidm
Comment 45 OBSbugzilla Bot 2024-08-08 03:45:04 UTC
This is an autogenerated message for OBS integration:
This bug (1194119) was mentioned in
https://build.opensuse.org/request/show/1192441 Backports:SLE-15-SP6 / kanidm
Comment 46 OBSbugzilla Bot 2024-08-10 01:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1194119) was mentioned in
https://build.opensuse.org/request/show/1193079 Backports:SLE-15-SP6 / kanidm
Comment 47 OBSbugzilla Bot 2024-08-20 03:45:05 UTC
This is an autogenerated message for OBS integration:
This bug (1194119) was mentioned in
https://build.opensuse.org/request/show/1194807 Backports:SLE-15-SP6 / kanidm
Comment 50 Marcus Meissner 2024-09-09 16:04:53 UTC
openSUSE-SU-2024:0294-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1191031,1194119,1196972,1210356
CVE References: CVE-2021-45710,CVE-2022-24713,CVE-2023-26964
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP6 (src):    kanidm-1.3.3~git0.f075d13-bp156.4.1