Follow-ups on CVE-2024-35186 and CVE-2024-35197 #1437
-
Following up on the vulnerabilities fixed in May and their security advisories – CVE-2024-35186 (GHSA-7w47-3wg8-547c) and CVE-2024-35197 (GHSA-49jc-r788-3fc9) – it looks like there are a few administrative things that should still be done. RUSTSECThe main thing is that there are still no RUSTSEC advisories for either of the two vulnerabilities. We expected the advisories might be imported automatically from the GitHub Advisory Database into RUSTSEC. It seems from rustsec/rustsec#656 that such things might be possible. But this does not seem to be set up to happen automatically. So their RUSTSEC advisories should still be created. I plan to open PRs on the advisory-db repository to achieve this. If and when I do, I'll add links here to them. There are some unresolved questions, detailed as follows, that complicate, and may temporarily block, my PRs for that. The only information that goes into RUSTSEC advisories that I'm unsure about for them--though from a RUSTSEC perspective it seems to be very important information--is which of the affected crates each of the vulnerabilities should be listed as affecting. As I understand it, a RUSTSEC advisory always corresponds to exactly one crate. If necessary, multiple RUSTSEC advisories could be created for the same vulnerability. For crates that are affected for dependency-related reasons, some can be omitted. So separate RUSTSEC advisories shouldn't be needed for all the crates listed in the repository and GitHub Advisory Database advisories:
Hyperlinks in the May 2024 update postIn #1412, in the "Safety First" section, hyperlinks with the titles of the two vulnerabilities are given. However, these inadvertently have the same URL: both are GHSA-7w47-3wg8-547c. The second link, for the "Refs and paths" vulnerability, should be changed to GHSA-49jc-r788-3fc9. The pull request descriptionThis doesn't have to be done, and whether it ought to be done is subjective. But it seems to me that the original checklist of items related to fixing these two vulnerabilities should be added to the description of #1374, which currently lists only the other items, not related to the security fixes that I think were the main impact of that PR. None of the information there is in any way sensitive any longer. The checklist I'm talking about corresponds to 79dce79, which merged a pull request from a private fork but came in as part of #1374. My rationale for including it is that it would make it easier for people in the future to figure out what changes that PR brought in and why, and also that it would help direct people who want to see how these vulnerabilities were fixed to a high-level overview of the changes that fixed them. These could be posted as a comment if desired, and I can post them as such. But I figured, since I was opening this question post anyway, that I might as well inquire first, in case you do want them in the description itself (I cannot edit that), or in case there is some reason you think it wouldn't be helpful. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
Thanks for bringing this up!
Would @Shnatsel know how this usually works?
Thanks you! It's fixed now.
Thank you, a good call, both to secure this information, and for making it public. It's done now. |
Beta Was this translation helpful? Give feedback.
I've just been busy and didn't import them when they appeared, and it slipped my mind afterwards.
We really should finish up and deploy import from GHSA. But right now a PR against https:/rustsec/advisory-db/ is the way to expedite things.