Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cargo-audit-advisory-db for openSUSE:Factory checked in at 2022-05-01 18:53:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old) and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cargo-audit-advisory-db" Sun May 1 18:53:47 2022 rev:24 rq:974165 version:20220428 Changes: -------- --- /work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes 2022-04-20 16:57:32.826635215 +0200 +++ /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1538/cargo-audit-advisory-db.changes 2022-05-01 18:53:56.423182545 +0200 @@ -1,0 +2,15 @@ +Thu Apr 28 02:57:45 UTC 2022 - wbrown@suse.de + +- Update to version 20220428: + * Assigned RUSTSEC-2022-0017 to array-macro (#1225) + * Add advisory for using impure constants in array-macro (#1224) + * Add patch version for fruity (#1223) + * Update RUSTSEC-2020-0071.md (#1222) + * RUSTSEC-2022-0012: note that v0.10.0+ is patched (#1220) + * Assigned RUSTSEC-2022-0016 to wasmtime (#1218) + * Add CVE-2022-24791 for Wasmtime (#1217) + * Assigned RUSTSEC-2022-0015 to pty (#1215) + * Add unmaintained advisory for pty (#1213) + * Assigned RUSTSEC-2022-0014 to openssl-src (#1211) + +------------------------------------------------------------------- Old: ---- advisory-db-20220420.tar.xz New: ---- advisory-db-20220428.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cargo-audit-advisory-db.spec ++++++ --- /var/tmp/diff_new_pack.KJt3QG/_old 2022-05-01 18:53:56.855182946 +0200 +++ /var/tmp/diff_new_pack.KJt3QG/_new 2022-05-01 18:53:56.863182953 +0200 @@ -17,7 +17,7 @@ Name: cargo-audit-advisory-db -Version: 20220420 +Version: 20220428 Release: 0 Summary: A database of known security issues for Rust depedencies License: CC0-1.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.KJt3QG/_old 2022-05-01 18:53:56.895182983 +0200 +++ /var/tmp/diff_new_pack.KJt3QG/_new 2022-05-01 18:53:56.899182986 +0200 @@ -2,7 +2,7 @@ <service mode="disabled" name="obs_scm"> <param name="url">https://github.com/RustSec/advisory-db.git</param> <param name="scm">git</param> - <param name="version">20220420</param> + <param name="version">20220428</param> <param name="revision">master</param> <param name="changesgenerate">enable</param> <param name="changesauthor">wbrown@suse.de</param> ++++++ advisory-db-20220420.tar.xz -> advisory-db-20220428.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220420/.duplicate-id-guard new/advisory-db-20220428/.duplicate-id-guard --- old/advisory-db-20220420/.duplicate-id-guard 2022-04-19 02:03:30.000000000 +0200 +++ new/advisory-db-20220428/.duplicate-id-guard 2022-04-27 21:05:18.000000000 +0200 @@ -1,3 +1,3 @@ This file causes merge conflicts if two ID assignment jobs run concurrently. This prevents duplicate ID assignment due to a race between those jobs. -be31153ca949684d3c0b38dba139be7cc19bd1235297389eb16eb7b16356b11e - +05211b923d19475817ba8c9cdcc1c8079a94da53ed993f4f5af9e032b8766a4d - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20220420/crates/array-macro/RUSTSEC-2022-0017.md new/advisory-db-20220428/crates/array-macro/RUSTSEC-2022-0017.md --- old/advisory-db-20220420/crates/array-macro/RUSTSEC-2022-0017.md 1970-01-01 01:00:00.000000000 +0100 +++ new/advisory-db-20220428/crates/array-macro/RUSTSEC-2022-0017.md 2022-04-27 21:05:18.000000000 +0200 @@ -0,0 +1,21 @@ +```toml +[advisory] +id = "RUSTSEC-2022-0017" +package = "array-macro" +date = "2022-04-27" +url = "https://gitlab.com/KonradBorowski/array-macro/-/issues/5" +categories = ["code-execution", "memory-corruption", "memory-exposure"] +informational = "unsound" + +[versions] +patched = [">= 2.1.2"] +unaffected = ["< 2.1.0"] +``` + +# `array!` macro is unsound when its length is impure constant + +Affected versions of this crate did substitute the array length provided by an user at compile-time multiple times. + +When an impure constant expression is passed as an array length (such as a result of an impure procedural macro), this can result in the initialization of an array with uninitialized types, which in turn can allow an attacker to execute arbitrary code. + +The flaw was corrected in commit [d5b63f72](https://gitlab.com/KonradBorowski/array-macro/-/commit/d5b63f72090f3809c21ac...) by making sure that array length is substituted just once.