Bug 1141856 (CVE-2019-1010299)

Summary: VUL-1: CVE-2019-1010299: rust: The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file.
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: William Brown <william.brown>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/237219/
Whiteboard: CVSSv3:SUSE:CVE-2019-1010299:2.8:(AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2019-07-17 12:38:37 UTC
CVE-2019-1010299

The Rust Programming Language Standard Library 1.18.0 and later is affected by:
CWE-200: Information Exposure. The impact is: Contents of uninitialized memory
could be printed to string or to log file. The component is: Debug trait
implementation for std::collections::vec_deque::Iter. The attack vector is: The
program needs to invoke debug printing for iterator over an empty VecDeque. The
fixed version is: 1.30.0, nightly versions after commit
b85e4cc8fadaabd41da5b9645c08c68b8f89908d.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010299
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010299
https://github.com/rust-lang/rust/pull/53571/commits/b85e4cc8fadaabd41da5b9645c08c68b8f89908d
https://github.com/rust-lang/rust/issues/53566
Comment 1 Scott Reeves 2021-03-02 18:40:47 UTC
Can you take this Federico...
Comment 2 Robert Frohl 2022-01-21 12:15:53 UTC
This should not affect us, fixed with 1.30. All rust packages are on later versions, closing.
Comment 3 Robert Frohl 2022-01-21 12:16:16 UTC
closing as invalid