9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.017 Low
EPSS
Percentile
87.6%
Issue Overview:
In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked. (CVE-2020-36323)
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. (CVE-2021-28876)
In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. (CVE-2021-28878)
In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again. (CVE-2021-28879)
In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics. (CVE-2021-31162)
Affected Packages:
rust
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update rust to update your system.
New Packages:
aarch64:
rust-1.56.1-1.amzn2.0.1.aarch64
rust-std-static-1.56.1-1.amzn2.0.1.aarch64
rust-doc-1.56.1-1.amzn2.0.1.aarch64
cargo-1.56.1-1.amzn2.0.1.aarch64
rustfmt-1.56.1-1.amzn2.0.1.aarch64
rls-1.56.1-1.amzn2.0.1.aarch64
clippy-1.56.1-1.amzn2.0.1.aarch64
rust-analysis-1.56.1-1.amzn2.0.1.aarch64
rust-debuginfo-1.56.1-1.amzn2.0.1.aarch64
noarch:
rust-debugger-common-1.56.1-1.amzn2.0.1.noarch
rust-gdb-1.56.1-1.amzn2.0.1.noarch
cargo-doc-1.56.1-1.amzn2.0.1.noarch
rust-src-1.56.1-1.amzn2.0.1.noarch
src:
rust-1.56.1-1.amzn2.0.1.src
x86_64:
rust-1.56.1-1.amzn2.0.1.x86_64
rust-std-static-1.56.1-1.amzn2.0.1.x86_64
rust-doc-1.56.1-1.amzn2.0.1.x86_64
cargo-1.56.1-1.amzn2.0.1.x86_64
rustfmt-1.56.1-1.amzn2.0.1.x86_64
rls-1.56.1-1.amzn2.0.1.x86_64
clippy-1.56.1-1.amzn2.0.1.x86_64
rust-analysis-1.56.1-1.amzn2.0.1.x86_64
rust-debuginfo-1.56.1-1.amzn2.0.1.x86_64
Red Hat: CVE-2020-36323, CVE-2021-28876, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162
Mitre: CVE-2020-36323, CVE-2021-28876, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | rust | < 1.56.1-1.amzn2.0.1 | rust-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | rust-std-static | < 1.56.1-1.amzn2.0.1 | rust-std-static-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | rust-doc | < 1.56.1-1.amzn2.0.1 | rust-doc-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | cargo | < 1.56.1-1.amzn2.0.1 | cargo-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | rustfmt | < 1.56.1-1.amzn2.0.1 | rustfmt-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | rls | < 1.56.1-1.amzn2.0.1 | rls-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | clippy | < 1.56.1-1.amzn2.0.1 | clippy-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | rust-analysis | < 1.56.1-1.amzn2.0.1 | rust-analysis-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | rust-debuginfo | < 1.56.1-1.amzn2.0.1 | rust-debuginfo-1.56.1-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | noarch | rust-debugger-common | < 1.56.1-1.amzn2.0.1 | rust-debugger-common-1.56.1-1.amzn2.0.1.noarch.rpm |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.017 Low
EPSS
Percentile
87.6%