Bug 1189223 - (CVE-2021-29922) VUL-0: CVE-2021-29922: rust: Improper Input Validation of octal literals in rust 1.52.0 std::net and below results in indeterminate SSRF & RFI vulnerabilities.
(CVE-2021-29922)
VUL-0: CVE-2021-29922: rust: Improper Input Validation of octal literals in r...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: William Brown
Security Team bot
https://smash.suse.de/issue/305979/
CVSSv3.1:SUSE:CVE-2021-29922:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-09 12:37 UTC by Gianluca Gabrielli
Modified: 2022-08-31 11:26 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
thomas.leroy: needinfo? (william.brown)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-09 12:37:15 UTC
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider
extraneous zero characters at the beginning of an IP address string, which (in
some situations) allows attackers to bypass access control that is based on IP
addresses, because of unexpected octal interpretation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29922
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29922
https://github.com/rust-lang/rust/pull/83652
http://www.cvedetails.com/cve/CVE-2021-29922/
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md
https://github.com/rust-lang/rust/issues/83648
https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis
Comment 1 Gianluca Gabrielli 2021-08-09 12:46:33 UTC
Hi rust maintainers,

I need your help to properly assess the following packages:
 - SUSE:SLE-15-SP1:Update/rust 1.43.1
 - SUSE:SLE-15:Update/rust     1.43.1

I think they are both vulnerable, but the vulnerable function is quite different and it's named `read_ipv4_addr_impl`:

it starts at src/libstd/net/parser.rs:131

```rust
fn read_ipv4_addr_impl(&mut self) -> Option<Ipv4Addr> {
    let mut bs = [0; 4];
    let mut i = 0;
    while i < 4 {
        if i != 0 && self.read_given_char('.').is_none() {
            return None;
        }

        bs[i] = self.read_number(10, 3, 0x100).map(|n| n as u8)?;
        i += 1;
    }
    Some(Ipv4Addr::new(bs[0], bs[1], bs[2], bs[3]))
}
```

Could you please share your feedback on that?

Moreover, (dunno know why) I've not been able to fetch the source codes of the following packages, but according to their versions (spec file), should be already patched:
 - SUSE:SLE-15-SP3:Update/rust 1.53.0
 - openSUSE:Factory/rust       1.54.0

Could you confirm that?

The upstream patch can be found in 74874a6 [0].

[0] https://github.com/rust-lang/rust/commit/74874a690bc95443292496ff5df5cc5c8cb56e0b.patch
Comment 2 Gianluca Gabrielli 2021-08-09 15:38:14 UTC
I managed to checkout all the source-codes. The following package is affected too:
 - SUSE:SLE-15-SP3:Update/rust1.43 (as per comment#2 - read_ipv4_addr_impl)

While the following ones are already patched:
 - SUSE:SLE-15-SP3:Update/rust1.53
 - openSUSE:Factory/rust1.53
 - openSUSE:Factory/rust1.54
Comment 3 Gianluca Gabrielli 2021-08-10 07:32:26 UTC
(In reply to Gianluca Gabrielli from comment #2)
>  - SUSE:SLE-15-SP3:Update/rust1.43 (as per comment#2 - read_ipv4_addr_impl)

I meant comment#1
Comment 4 Thomas Leroy 2022-08-31 11:26:19 UTC
Reassigning.

Hi William, this one seems to impact Rust compiler itself. We expected a patch for SUSE:SLE-15:Update and SUSE:SLE-15-SP1:Update, but I think the fixing commit is included in the version we currently ship there. 
I think the CVE is not mentioned in the changes file, so we lost track of it. Could you please add the CVE in the changes file of SUSE:SLE-15:Update/rust and SUSE:SLE-15-SP1:Update/rust? :)