Bugzilla – Full Text Bug Listing |
Summary: | VUL-1: CVE-2021-45710: rust1.55, rust1.53, rust1.56, rust, rust1.54, rust1.43: segmentation fault due to data race in tokio crate | ||
---|---|---|---|
Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Leroy <thomas.leroy> |
Component: | Incidents | Assignee: | E-mail List <gnome-bugs> |
Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
Severity: | Minor | ||
Priority: | P4 - Low | CC: | alarrosa, dmitry, meissner, thomas.leroy, william.brown |
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Other | ||
URL: | https://smash.suse.de/issue/319074/ | ||
Whiteboard: | CVSSv3.1:SUSE:CVE-2021-45710:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) | ||
Found By: | Security Response Team | Services Priority: | |
Business Priority: | Blocker: | --- | |
Marketing QA Status: | --- | IT Deployment: | --- |
Bug Depends on: | 1203771, 1203772, 1203774 | ||
Bug Blocks: |
Description
Thomas Leroy
2021-12-28 17:00:59 UTC
After investigations, it seems that the following codestreams ship a vulnerable version of the tokio crate: SUSE:SLE-15:Update/rust tokio v0.2.24 SUSE:SLE-15-SP1:Update/rust tokio v0.2.24 SUSE:SLE-15-SP3:Update/rust1.43 tokio v0.1.22 SUSE:SLE-15-SP3:Update/rust1.53 tokio v0.2.24 SUSE:SLE-15-SP3:Update/rust1.54 tokio v0.2.24 SUSE:SLE-15-SP3:Update/rust1.55 tokio v1.8.2 openSUSE:Factory/rust1.55 tokio v1.8.2 openSUSE:Factory/rust1.56 tokio v1.8.2 I have started an obs audit run to see what may be affected and will contact maintainers for updates. - the following pkgs need SECURITY updates to address RUSTSEC-2021-0124 osc bco network:ldap/389-ds osc bco devel:languages:rust/cargo-audit osc bco devel:kubic:ignition/afterburn osc bco network:utilities/rustscan osc bco devel:languages:rust/sccache osc bco X11:Wayland/tuigreet osc bco devel:languages:rust/rustup osc bco mozilla:Factory/mozjs78 osc bco utilities/tealdeer osc bco GNOME:Apps/fractal osc bco multimedia:apps/spotifyd osc bco network:idm/kanidm osc bco X11:Wayland/greetd osc bco multimedia:libs/gstreamer-plugins-rs osc bco devel:languages:rust/cargo-c osc bco Publishing/svgcleaner osc bco security/rsign2 osc bco devel:languages:rust/rust-packaging osc bco multimedia:libs/rav1e osc bco GNOME:Apps/fractal osc bco mozilla:Factory/mozjs78 Will require the relevant maintainers to resolve. All others I have submitted updates or am about to submit updates for. osc bco Publishing/svgcleaner My apologies, wrong paste buffer. This is the only package that needs the maintainer to be contacted. osc bco multimedia:libs/gstreamer-plugins-rs Will also need the maintainer to be involved. Thank you very much William for the investigation! So, only Publishing/svgcleaner and multimedia:libs/gstreamer-plugins-rs maintainers need to be contacted, right? Yep, that's correct! I can see that we ship gstreamer-plugins-rs only in openSUSE:Factory. @Antonio, could it be possible to upgrade the tokio version of gstreamer-plugins-rs in openSUSE:Factory? However, I can't see any track of tokio in svgcleaner, either in vendor and Cargo files. Are you sure William that svgcleaner is affected? (In reply to Thomas Leroy from comment #10) > @Antonio, could it be possible to upgrade the tokio version of > gstreamer-plugins-rs in openSUSE:Factory? > Hi, I just submitted an update of gstreamer-plugins-rs (https://build.opensuse.org/request/show/947016) and it's now using tokio 1.15.0 instead of a mixture of tokio 0.2.13 and tokio 1.10.1 . BTW, jfyi, I'll probably submit gstreamer-plugins-rs to SLE-15-SP4 soon, but if I do, I'll submit this new version so I don't think that will be a problem. SUSE:SLE-15-SP3:Update,389-ds,tokio,1.15.0 SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,tokio,1.15.0 SUSE:SLE-15-SP3:Update,rustup,tokio,1.12.0 SUSE:SLE-15-SP3:Update,sccache,tokio,0.1.22 SUSE:SLE-15-SP3:Update,sccache,tokio,0.2.25 SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.0 SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.1 SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,tokio,1.15.0 SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,tokio,1.17.0 SUSE:SLE-15-SP4:Update,rustup,tokio,1.12.0 SUSE:SLE-15-SP4:Update,sccache,tokio,0.1.22 SUSE:SLE-15-SP4:Update,sccache,tokio,0.2.25 (In reply to Marcus Meissner from comment #16) I am not the owner of the following, and their respective maintainers will need to be contacted to have these updated. > SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,tokio,1.15.0 > SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,tokio,1.15.0 > SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,tokio,1.17.0 I am the owner of the following and will update them ASAP. > SUSE:SLE-15-SP3:Update,389-ds,tokio,1.15.0 > SUSE:SLE-15-SP3:Update,rustup,tokio,1.12.0 > SUSE:SLE-15-SP3:Update,sccache,tokio,0.1.22 > SUSE:SLE-15-SP3:Update,sccache,tokio,0.2.25 > SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.0 > SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.1 > SUSE:SLE-15-SP4:Update,rustup,tokio,1.12.0 > SUSE:SLE-15-SP4:Update,sccache,tokio,0.1.22 > SUSE:SLE-15-SP4:Update,sccache,tokio,0.2.25 I opened seperate bugs for afterburn, aws-nitro-enclaves-cli and gstreamer-plugins-rs SUSE-SU-2022:3949-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1194119,1196972 CVE References: CVE-2021-45710,CVE-2022-24713 JIRA References: Sources used: openSUSE Leap 15.3 (src): rustup-1.25.1~0-150300.7.13.2 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): rustup-1.25.1~0-150300.7.13.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3996-1: An update that solves one vulnerability and has three fixes is now available. Category: security (low) Bug References: 1194119,1204493,1204748,1205146 CVE References: CVE-2021-45710 JIRA References: Sources used: openSUSE Leap 15.4 (src): 389-ds-2.0.16~git56.d15a0a7-150400.3.15.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): 389-ds-2.0.16~git56.d15a0a7-150400.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:4073-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1181400,1194119,1196972 CVE References: CVE-2021-45710,CVE-2022-24713 JIRA References: Sources used: openSUSE Leap 15.3 (src): sccache-0.3.0~git5.14a4b8b-150300.7.9.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): sccache-0.3.0~git5.14a4b8b-150300.7.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:4124-1: An update that solves one vulnerability and has three fixes is now available. Category: security (low) Bug References: 1194119,1204493,1204748,1205146 CVE References: CVE-2021-45710 JIRA References: Sources used: openSUSE Leap 15.3 (src): 389-ds-1.4.4.19~git59.136fc84-150300.3.27.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): 389-ds-1.4.4.19~git59.136fc84-150300.3.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:3526-1: An update that solves four vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1181400, 1194119, 1196972, 1208553, 1212407 CVE References: CVE-2021-45710, CVE-2022-24713, CVE-2022-31394, CVE-2023-1521 Sources used: openSUSE Leap 15.4 (src): sccache-0.4.2~3-150400.3.3.1 openSUSE Leap 15.5 (src): sccache-0.4.2~3-150400.3.3.1 Development Tools Module 15-SP4 (src): sccache-0.4.2~3-150400.3.3.1 Development Tools Module 15-SP5 (src): sccache-0.4.2~3-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1133800 Backports:SLE-15-SP5 / kanidm This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1180285 Backports:SLE-15-SP6 / kanidm This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1192072 Backports:SLE-15-SP6 / kanidm This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1192441 Backports:SLE-15-SP6 / kanidm This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1193079 Backports:SLE-15-SP6 / kanidm This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1194807 Backports:SLE-15-SP6 / kanidm openSUSE-SU-2024:0294-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1191031,1194119,1196972,1210356 CVE References: CVE-2021-45710,CVE-2022-24713,CVE-2023-26964 JIRA References: Sources used: openSUSE Backports SLE-15-SP6 (src): kanidm-1.3.3~git0.f075d13-bp156.4.1 |