CVEs for the Rust standard library

Overview

Rust CVE

Preface

This is a list of CVEs for unsound APIs in the Rust standard library. These bugs break Rust's memory safety guarantee and lead to security issues when triggered. Fortunately, they are context-sensitive library APIs that are not usually used in a way that the bugs can be triggered. Many of them require very specific interaction to trigger (e.g., partially consume an iterator and zip() it with another iterator) that is not likely to appear in their daily usage.

Yet, we can't say for sure that there is no code out there using these APIs in a bug-triggering way. Moreover, certain applications such as TockOS and RedLeaf that use Rust's type system as an isolation mechanism can be easily attacked with these bugs. Hence, it is important to signal the existence of these bugs, and I found that issuing a CVE number and creating a RustSec advisory is the most effective way to do so.

CVE List

CVE Issue # Title Affected RustSec
CVE-2015-20001 25842 Panic safety violation in BinaryHeap >= 1.0.0, < 1.2.0 link
CVE-2017-20004 41622 MutexGuard> must not be Sync >= 1.0.0, < 1.19.0 link
CVE-2018-1000657 44800 Buffer overflow vulnerability in VecDeque::reserve() >= 1.3.0, < 1.22.0 link
CVE-2018-1000810 54399 Buffer overflow vulnerability in str::repeat() >= 1.26.0, < 1.29.1 link
CVE-2018-25008 51780 Insufficient synchronization in Arc::get_mut >= 1.3.0, < 1.29.0 link
CVE-2019-1010299 53566 vec_deque::Iter has unsound Debug implementation >= 1.18.0, < 1.30.0 link
CVE-2019-12083 60787 Memory safety vulnerabilities arising from Error::type_id >= 1.34.0, < 1.34.2 link
CVE-2020-36317 78498 String::retain allows safely creating invalid strings when abusing panic >= 1.26.0, < 1.49.0 link
CVE-2020-36318 79808 VecDeque::make_contiguous may duplicate the contained elements >= 1.48.0, < 1.49.0 link
CVE-2020-36323 80335 API soundness issue in join() implementation of [Borrow] >= 1.28.0, < 1.52.0 link
CVE-2021-28875 80894 Logic bug in Read can cause buffer overflow in read_to_end() >= 1.20.0, < 1.50.0 link
CVE-2021-28876 81740 Panic safety issue in Zip specialization >= 1.14.0, < 1.52.0 link
CVE-2021-28877 80670 TrustedRandomAaccess specialization composes incorrectly for nested iter::Zips >= 1.11.0, < 1.51.0 link
CVE-2021-28878 82291 Zip may call __iterator_get_unchecked twice with the same index >= 1.14.0, < 1.52.0 link
CVE-2021-28879 82282 Zip can cause buffer overflow when a consumed Zip iterator is used again >= 1.14.0, < 1.52.0 link
CVE-2021-31162 83618 Double free in Vec::from_iter specialization when drop panics >= 1.48.0, < 1.52.0 link

Backlog

These are soundness bugs that I plan to apply CVE IDs for. Note that I focus on soundness bugs that arise from misuse of unsafe Rust code in the standard library, so certain soundness bugs are not included in this list such as type-system bugs (e.g., #25860) or environmental bugs (e.g., #81996). I'll still update the CVE list above if such bug get assigned a CVE ID.

Issue # Title Affected CVE ID Requested
81138 String::replace_range is unsound TODO No
85322 The implementation of InPlaceIterable for Peekable is unsound TODO No
85613 Double free in Vec::dedup_by when T's drop panics TODO No
85813 Unsound Debug impl for collections::linked_list::IterMut TODO No
85873 TrustedRandomAccess optimization for Zip containing vec::IntoIter is unsound TODO No
86443 Panic safety issue in Zip::next_back() TrustedRandomAccess specialization TODO No
You might also like...
A rust library for sharing and updating arbitrary slices between threads, optimized for wait-free reads

atomicslice A Rust library for thread-safe shared slices that are just about as fast as possible to read while also being writable. Overview Use Atomi

unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode
unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode

unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode. It is essentially a reimplementation of the Python VM with taint tracking.

Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

Cross-platform async library for system information fetching 🦀
Cross-platform async library for system information fetching 🦀

heim Cross-platform library for system information fetching heim is an ongoing attempt to create the best tool for system information fetching (ex., C

Memory hacking library for windows.

Memory hacking library for windows.

A library for building tools to determine if vulnerabilities are reachable in a code base.
A library for building tools to determine if vulnerabilities are reachable in a code base.

Overview Vuln Reach is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by P

Detects usage of unsafe Rust in a Rust crate and its dependencies.
Detects usage of unsafe Rust in a Rust crate and its dependencies.

cargo-geiger ☢️ Looking for maintainer: https://github.com/rust-secure-code/cargo-geiger/issues/210 A program that lists statistics related to the usa

An esoteric language/compiler written with Rust and Rust LLVM bindings

MeidoLang (メイドラング) A not so useful and esoteric language. The goal of this project was to contain some quirky or novel syntax in a stack-style program

Rust-verification-tools - RVT is a collection of tools/libraries to support both static and dynamic verification of Rust programs.

Rust verification tools This is a collection of tools/libraries to support both static and dynamic verification of Rust programs. We see static verifi

Owner
Yechan Bae
2nd year Ph.D. student at Georgia Tech SSLab. Member of r00timentary and LeaveCat-PLUS.
Yechan Bae
Rust library for building and running BPF/eBPF modules

RedBPF A Rust eBPF toolchain. Overview The redbpf project is a collection of tools and libraries to build eBPF programs using Rust. It includes: redbp

foniod 1.5k Jan 1, 2023
Rust library for developing safe canisters.

IC Kit This library provides an alternative to ic-cdk that can help developers write canisters and unit test them in their Rust code. Install Add this

Psychedelic 26 Nov 28, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order).

Mundane Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order). Issues and

Google 1.1k Jan 3, 2023
A simple rust library for working with ZIP archives

rust-zip A simple rust library to read and write Zip archives, which is also my pet project for learning Rust. At the moment you can list the files in

Jorge Gorbe Moya 11 Aug 6, 2022
An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

TonStack 4 Nov 9, 2022
A new shellcode injection technique. Given as C++ header, standalone Rust program or library.

FunctionStomping Description This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stompin

Ido Veltzman 608 Jan 4, 2023
Extended precision integer Rust library. Provides signed/unsigned integer 256 to 2048.

Extended precision integer Rust library. Provides signed/unsigned integer 256 to 2048.

Mohanson 4 Jul 28, 2022
Linux anti-debugging and anti-analysis rust library

DebugOff Library Linux anti-analysis Rust library The goal of this library is to make both static and dynamic (debugging) analysis more difficult. The

null 65 Jan 7, 2023
An R interface to Rust's h3o library

h3o h3o is a system-dependency free package to interact with the H3 Geospatial Indexing system by Uber. h3o utilizes the Rust library h3o with is a pu

Josiah Parry 5 Mar 27, 2023