Skip to content

scanner-rs OOB read #2262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 7, 2025
Merged

scanner-rs OOB read #2262

merged 6 commits into from
May 7, 2025

Conversation

charlesxsh
Copy link
Contributor

No description provided.

djc
djc reviewed Mar 27, 2025
View reviewed changes
Copy link
Contributor

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not obvious how this crate is implicated. Have you filed an issue against it? Does the maintainer agree that there is an issue that warrants an advisory? Has a fix been released?

@charlesxsh
Copy link
Contributor Author

It's not obvious how this crate is implicated. Have you filed an issue against it? Does the maintainer agree that there is an issue that warrants an advisory? Has a fix been released?

Actually I would like to create issue over there at first. However, that git repository does not allow me to create an issue.

@charlesxsh
Copy link
Contributor Author

The code snippet is copied from the crate's lib.rs

https://github.com/pombredanne/scanner-rs/blob/2893e45f8d60692a11e8584ba01eb38fe7798fea/src/lib.rs#L398C1-L420C2

@tarcieri
Copy link
Member

tarcieri commented Mar 27, 2025
edited
Loading

You can create a new issue here: https://github.com/pombredanne/scanner-rs/issues/new

Edit: weird, 404 on desktop, works on mobile but I can't actually post an issue

Looks like you might be able to open a PR?

@djc
Copy link
Contributor

djc commented Mar 29, 2025

Submitting a PR (maybe adding an unmaintained notice to the README) seems like a decent way to notify the author. The repo has just 1 commit from 9 years ago so I wouldn't expect a lot of activity, but at least the author still seems quite active on GitHub.

@djc djc mentioned this pull request Apr 25, 2025
Merged
@charlesxsh
Copy link
Contributor Author

Submitting a PR (maybe adding an unmaintained notice to the README) seems like a decent way to notify the author. The repo has just 1 commit from 9 years ago so I wouldn't expect a lot of activity, but at least the author still seems quite active on GitHub.

I created a PR pombredanne/scanner-rs#1

@djc
Copy link
Contributor

djc commented May 2, 2025

Sent an email to the maintainer to notify them of this advisory. Per discussion in #1092, will merge if there's been no response in 2 weeks.

@pombredanne
Copy link
Contributor

FYI: pombredanne/scanner-rs#1 (comment)
repasting here for reference:

I am not the maintainer of this as explained to @djc in a private email.
I am fine to merge this based on external reviewer inputs. I can transfer this repo to someone in the Rust community if you think this is useful and used.

The funny thing is that this NOT my crate. I just happen to be the last remaining fork, but my fork was passive.

Digging a bit, this used to be there from @CasualX :

https://archive.softwareheritage.org/browse/origin/directory/?origin_url=https://github.com/CasualX/scanner-rs

@pombredanne
Copy link
Contributor

Sent an email to the maintainer to notify them of this advisory. Per discussion in #1092, will merge if there's been no response in 2 weeks.

@djc please go ahead and merge. I merged @charlesxsh patch. I assume this code is correct. I would welcome a second pair of eyes on

If problematic, I will revert and update as needed.

@pombredanne
Copy link
Contributor

@tarcieri re:

Edit: weird, 404 on desktop, works on mobile but I can't actually post an issue
Looks like you might be able to open a PR?

This happened as this was not the head repo. When you fork in GH, issues are not enabled by default. Only PRs. I fixed this.

@pombredanne
Copy link
Contributor

Note also that I do NOT own the record at https://crates.io/crates/scanner .... this is @CasualX so I cannot do much of anything to push updated releases.

@djc
Copy link
Contributor

djc commented May 2, 2025

@pombredanne thanks for the quick response, sorry for bothering you -- should have checked the metadata more carefully.

@djc
Copy link
Contributor

djc commented May 2, 2025

Could not find an email address for @CasualX, so let's wait to see if they respond here? @CasualX -- please let us know if you're okay with us publishing an advisory for your old crate.

@CasualX
Copy link

CasualX commented May 5, 2025
edited
Loading

Oh hi, I was a bit concerned to see this but yeah this is very old code. This project has been folded into my pelite crate, you can find the relevant code here which should not be vulnerable (the API was entirely reworked).

I don't mind if this scanner-rs crate is deleted in its entirety, anyone still using it should update to pelite proper.

Thanks for the ping!

@djc
Copy link
Contributor

djc commented May 5, 2025

@CasualX thanks!

@charlesxsh can you rewrite this advisory as explained previously?

@charlesxsh
Copy link
Contributor Author

@djc updated it

djc
djc reviewed May 6, 2025
View reviewed changes
@djc djc merged commit 2be585e into rustsec:main May 7, 2025
1 check passed
@djc
Copy link
Contributor

djc commented May 7, 2025

Thanks!

@pombredanne
Copy link
Contributor

Great conclusion. 🙇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@pombredanne pombredanne pombredanne approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@charlesxsh @tarcieri @djc @pombredanne @CasualX