Opened 4 months ago

Closed 4 months ago

#14901 closed enhancement (fixed)

librsvg-2.50.4

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 10.2
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

News
====

Update dependent crates that had security vulnerabilities:

  futures-util to 0.3.14  - RUSTSEC-2020-0059
  futures-task to 0.3.14  - RUSTSEC-2020-0060
  generic-array to 0.13.3 - RUSTSEC-2020-0146  
  smallvec to 1.6.1       - RUSTSEC-2021-0030

There are no changes to the library code.

Change History (5)

comment:1 by Douglas R. Reno, 4 months ago

Owner: changed from blfs-book to Douglas R. Reno
Priority: normalelevated
Status: newassigned

comment:2 by Douglas R. Reno, 4 months ago

Summary: librsvg-2.48.10librsvg-2.50.4

Actually, this should be 2.50.4

comment:3 by Douglas R. Reno, 4 months ago

The release notes in the ticket description are incorrect. The correct ones:

News
====

Update dependent crates that had security vulnerabilities:

  generic-array to 0.13.3 - RUSTSEC-2020-0146

- #686 - Reduced stack usage (Sebastian Dröge).

- #698 - Add limit for too-large radiuses on the feMorphology filter (Madds H).

- #703 - Properly ignore elements in an error state inside the "switch" element.

RUSTSEC-2020-0146: https://github.com/fizyk20/generic-array/issues/98

Rust seems to keep their security advisories here: https://rustsec.org/advisories/

In our case, we're looking for RUSTSEC-2020-0146, which can be found here: https://rustsec.org/advisories/RUSTSEC-2020-0146.html

RUSTSEC-2020-0146: generic-array: arr! macro erases lifetimes
April 9, 2020
Description

Affected versions of this crate allowed unsoundly extending lifetimes using arr! macro. This may result in a variety of memory corruption scenarios, most likely use-after-free.

Since this is the first "security vulnerability in a rust crate" that we've encountered, I've sent an email to all editors on how to find the information necessary to assign a severity. In this case, I'll put Moderate in the advisory.

comment:4 by Douglas R. Reno, 4 months ago

Fixed at bbba22e568

comment:5 by Douglas R. Reno, 4 months ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.