Bugzilla – Bug 1194119
VUL-1: CVE-2021-45710: rust1.55, rust1.53, rust1.56, rust, rust1.54, rust1.43: segmentation fault due to data race in tokio crate
Last modified: 2024-09-09 16:04:53 UTC
CVE-2021-45710 An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45710 https://rustsec.org/advisories/RUSTSEC-2021-0124.html https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tokio/RUSTSEC-2021-0124.md
After investigations, it seems that the following codestreams ship a vulnerable version of the tokio crate: SUSE:SLE-15:Update/rust tokio v0.2.24 SUSE:SLE-15-SP1:Update/rust tokio v0.2.24 SUSE:SLE-15-SP3:Update/rust1.43 tokio v0.1.22 SUSE:SLE-15-SP3:Update/rust1.53 tokio v0.2.24 SUSE:SLE-15-SP3:Update/rust1.54 tokio v0.2.24 SUSE:SLE-15-SP3:Update/rust1.55 tokio v1.8.2 openSUSE:Factory/rust1.55 tokio v1.8.2 openSUSE:Factory/rust1.56 tokio v1.8.2
I have started an obs audit run to see what may be affected and will contact maintainers for updates.
- the following pkgs need SECURITY updates to address RUSTSEC-2021-0124 osc bco network:ldap/389-ds osc bco devel:languages:rust/cargo-audit osc bco devel:kubic:ignition/afterburn osc bco network:utilities/rustscan osc bco devel:languages:rust/sccache osc bco X11:Wayland/tuigreet osc bco devel:languages:rust/rustup osc bco mozilla:Factory/mozjs78 osc bco utilities/tealdeer osc bco GNOME:Apps/fractal osc bco multimedia:apps/spotifyd osc bco network:idm/kanidm osc bco X11:Wayland/greetd osc bco multimedia:libs/gstreamer-plugins-rs osc bco devel:languages:rust/cargo-c osc bco Publishing/svgcleaner osc bco security/rsign2 osc bco devel:languages:rust/rust-packaging osc bco multimedia:libs/rav1e
osc bco GNOME:Apps/fractal osc bco mozilla:Factory/mozjs78 Will require the relevant maintainers to resolve. All others I have submitted updates or am about to submit updates for.
osc bco Publishing/svgcleaner My apologies, wrong paste buffer. This is the only package that needs the maintainer to be contacted.
osc bco multimedia:libs/gstreamer-plugins-rs Will also need the maintainer to be involved.
Thank you very much William for the investigation! So, only Publishing/svgcleaner and multimedia:libs/gstreamer-plugins-rs maintainers need to be contacted, right?
Yep, that's correct!
I can see that we ship gstreamer-plugins-rs only in openSUSE:Factory. @Antonio, could it be possible to upgrade the tokio version of gstreamer-plugins-rs in openSUSE:Factory? However, I can't see any track of tokio in svgcleaner, either in vendor and Cargo files. Are you sure William that svgcleaner is affected?
(In reply to Thomas Leroy from comment #10) > @Antonio, could it be possible to upgrade the tokio version of > gstreamer-plugins-rs in openSUSE:Factory? > Hi, I just submitted an update of gstreamer-plugins-rs (https://build.opensuse.org/request/show/947016) and it's now using tokio 1.15.0 instead of a mixture of tokio 0.2.13 and tokio 1.10.1 . BTW, jfyi, I'll probably submit gstreamer-plugins-rs to SLE-15-SP4 soon, but if I do, I'll submit this new version so I don't think that will be a problem.
SUSE:SLE-15-SP3:Update,389-ds,tokio,1.15.0 SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,tokio,1.15.0 SUSE:SLE-15-SP3:Update,rustup,tokio,1.12.0 SUSE:SLE-15-SP3:Update,sccache,tokio,0.1.22 SUSE:SLE-15-SP3:Update,sccache,tokio,0.2.25 SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.0 SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.1 SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,tokio,1.15.0 SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,tokio,1.17.0 SUSE:SLE-15-SP4:Update,rustup,tokio,1.12.0 SUSE:SLE-15-SP4:Update,sccache,tokio,0.1.22 SUSE:SLE-15-SP4:Update,sccache,tokio,0.2.25
(In reply to Marcus Meissner from comment #16) I am not the owner of the following, and their respective maintainers will need to be contacted to have these updated. > SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update,afterburn,tokio,1.15.0 > SUSE:SLE-15-SP4:Update,aws-nitro-enclaves-cli,tokio,1.15.0 > SUSE:SLE-15-SP4:Update,gstreamer-plugins-rs,tokio,1.17.0 I am the owner of the following and will update them ASAP. > SUSE:SLE-15-SP3:Update,389-ds,tokio,1.15.0 > SUSE:SLE-15-SP3:Update,rustup,tokio,1.12.0 > SUSE:SLE-15-SP3:Update,sccache,tokio,0.1.22 > SUSE:SLE-15-SP3:Update,sccache,tokio,0.2.25 > SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.0 > SUSE:SLE-15-SP4:Update,389-ds,tokio,1.20.1 > SUSE:SLE-15-SP4:Update,rustup,tokio,1.12.0 > SUSE:SLE-15-SP4:Update,sccache,tokio,0.1.22 > SUSE:SLE-15-SP4:Update,sccache,tokio,0.2.25
I opened seperate bugs for afterburn, aws-nitro-enclaves-cli and gstreamer-plugins-rs
SUSE-SU-2022:3949-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1194119,1196972 CVE References: CVE-2021-45710,CVE-2022-24713 JIRA References: Sources used: openSUSE Leap 15.3 (src): rustup-1.25.1~0-150300.7.13.2 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): rustup-1.25.1~0-150300.7.13.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3996-1: An update that solves one vulnerability and has three fixes is now available. Category: security (low) Bug References: 1194119,1204493,1204748,1205146 CVE References: CVE-2021-45710 JIRA References: Sources used: openSUSE Leap 15.4 (src): 389-ds-2.0.16~git56.d15a0a7-150400.3.15.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): 389-ds-2.0.16~git56.d15a0a7-150400.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4073-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1181400,1194119,1196972 CVE References: CVE-2021-45710,CVE-2022-24713 JIRA References: Sources used: openSUSE Leap 15.3 (src): sccache-0.3.0~git5.14a4b8b-150300.7.9.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): sccache-0.3.0~git5.14a4b8b-150300.7.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4124-1: An update that solves one vulnerability and has three fixes is now available. Category: security (low) Bug References: 1194119,1204493,1204748,1205146 CVE References: CVE-2021-45710 JIRA References: Sources used: openSUSE Leap 15.3 (src): 389-ds-1.4.4.19~git59.136fc84-150300.3.27.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): 389-ds-1.4.4.19~git59.136fc84-150300.3.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3526-1: An update that solves four vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1181400, 1194119, 1196972, 1208553, 1212407 CVE References: CVE-2021-45710, CVE-2022-24713, CVE-2022-31394, CVE-2023-1521 Sources used: openSUSE Leap 15.4 (src): sccache-0.4.2~3-150400.3.3.1 openSUSE Leap 15.5 (src): sccache-0.4.2~3-150400.3.3.1 Development Tools Module 15-SP4 (src): sccache-0.4.2~3-150400.3.3.1 Development Tools Module 15-SP5 (src): sccache-0.4.2~3-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1133800 Backports:SLE-15-SP5 / kanidm
This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1180285 Backports:SLE-15-SP6 / kanidm
This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1192072 Backports:SLE-15-SP6 / kanidm
This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1192441 Backports:SLE-15-SP6 / kanidm
This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1193079 Backports:SLE-15-SP6 / kanidm
This is an autogenerated message for OBS integration: This bug (1194119) was mentioned in https://build.opensuse.org/request/show/1194807 Backports:SLE-15-SP6 / kanidm
openSUSE-SU-2024:0294-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1191031,1194119,1196972,1210356 CVE References: CVE-2021-45710,CVE-2022-24713,CVE-2023-26964 JIRA References: Sources used: openSUSE Backports SLE-15-SP6 (src): kanidm-1.3.3~git0.f075d13-bp156.4.1