| 4 | |
| 5 | Update: 1.29.1 released with a vulnerability fix which affects 1.26.0 and later: |
| 6 | |
| 7 | |
| 8 | Security advisory for the standard library |
| 9 | |
| 10 | Sep 21, 2018 • The Rust Core Team |
| 11 | |
| 12 | The Rust team was recently notified of a security vulnerability affecting the standard library’s str::repeat function. When passed a large number this function has an integer overflow which can lead to an out of bounds write. If you are not using str::repeat, you are not affected. |
| 13 | |
| 14 | We’re in the process of applying for a CVE number for this vulnerability. Fixes for this issue have landed in the Rust repository for the stable/beta/master branches. Nightlies and betas with the fix will be produced tonight, and 1.29.1 will be released on 2018-09-25 with the fix for stable Rust. |
| 15 | |
| 16 | You can find the full announcement on our rustlang-security-announcements mailing list here. [https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0] |
| 17 | |
| 18 | NB - the fix is to deterministically panic if the overflow occurs. |