RustSec

Growth in the @RustSec security advisory database year-over-year throughout its 6-year history

Rust is the fastest growing language on GitHub, and GitHub’s supply chain security features now help keep your Rust projects secure 🔒 github.co/3tiGH9E

blog.logrocket.com/comparing-rust… Comparing Rust supply chain safety tools

A malicious crate was uploaded to crates.io, targeting GitLab CI environments. Read more on the security advisory: blog.rust-lang.org/2022/05/10/mal…

The regex crate is vulnerable to denial of service attacks when parsing untrusted regexes (CVE-2022-24713). We released version 1.5.5, fixing the issue. Read the advisory: blog.rust-lang.org/2022/03/08/cve…

The std::fs::remove_dir_all function in the Rust standard library is vulnerable to a race condition (CVE-2022-21658). We will release Rust 1.58.1 with the fix later today. Read the advisory: blog.rust-lang.org/2022/01/20/cve…

This is the first year that we've ever seen fewer advisories filed than the previous year! One reason why is because the bulk of advisories for vulnerabilities discovered by the Rudra static code analyzer were filed in 2020 twitter.com/yechan_bae/sta…

Growth in the @RustSec security advisory database year-over-year throughout its 6-year history

@Erstejahre The crates.io team says to report it to security@rust-lang.org

@Erstejahre From the @RustSec side, you can file an advisory for the affected release so cargo-audit users will see it. If the crate can be reclaimed, the malicious release should be yanked. Beyond that there isn’t a process I’m aware of, but I can ask the crates.io team!

@RustSec Theoretical question for you - If a crate was hijacked and had a cryptominer or other malicious code added, is there an established process to have that removed to prevent infections to consumers of crates.io ?

We have a security advisory for rustc today: blog.rust-lang.org/2021/11/01/cve… We will have a 1.56.1 release out soon.

@pikhq Correct

@RustSec Isn't the problem here that std::env::set_env, which wraps C setenv(), is incorrectly marked as safe? After all, in C-land, calling setenv() while any other thread is accessing the environment (including potentially arbitrary other C functions) is undefined behavior.

Heads up Rustsceans! You might have recently gotten a security vulnerability notification for RUSTSEC-2020-0071: a potential segfault impacting `time` v0.1 (cont’d) rustsec.org/advisories/RUS…

The rustsec.org web site now features severity information for each security advisory

@hdevalence In programs where certain environment variables are modified from different threads, it can result in memory corruption. This has manifested as programs segfaulting.

@RustSec what is the impact?

@jonasbb92 Probably. We’re discussing it on the #wg-secure-code Zulip channel.

Unfortunately we don’t have clear guidance for what to do. It impacts several major ecosystem crates including `chrono`. For the latest information, see the upstream issue on `time`: github.com/time-rs/time/i…

This isn’t a false positive, but rather a case where the advisory has been updated to include earlier versions of the `time` crate. Unfortunately the fix is only in `time` v0.2, and it’s unclear if it can be backported to v0.1 due to API constraints.

My team's first release since I joined GitHub is out today, and my first GitHub blog is live! Thanks so much to the @RustSec community for collaborating to bring curated Rust security advisories to the GitHub Advisory Database! github.blog/2021-09-23-git…

@KodrAus (we have withdrawn some unmaintained crate advisories, but that was because new maintainers stepped up which is what we’re trying to encourage!)

@KodrAus As you are seeing, we perform due diligence before publishing unmaintained crate advisories. Agreed we could use a more formal policy, but so far in the course of several years we have not received any complaints about maintained crates being marked unmaintained.

@bodil question about the im/im-rc crates: we have a request to mark them as unmaintained in the RustSec Advisory Database: github.com/RustSec/adviso… Is that ok? If you have any objections whatsoever we'll close the PR.