Bug 1189223 - (CVE-2021-29922) VUL-0: CVE-2021-29922: rust: Improper Input Validation of octal literals in rust 1.52.0 std::net and below results in indeterminate SSRF & RFI vulnerabilities.
VUL-0: CVE-2021-29922: rust: Improper Input Validation of octal literals in r...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: William Brown
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-08-09 12:37 UTC by Gianluca Gabrielli
Modified: 2022-08-31 11:26 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
thomas.leroy: needinfo? (william.brown)


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-09 12:37:15 UTC
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider
extraneous zero characters at the beginning of an IP address string, which (in
some situations) allows attackers to bypass access control that is based on IP
addresses, because of unexpected octal interpretation.

Comment 1 Gianluca Gabrielli 2021-08-09 12:46:33 UTC
Hi rust maintainers,

I need your help to properly assess the following packages:
 - SUSE:SLE-15-SP1:Update/rust 1.43.1
 - SUSE:SLE-15:Update/rust     1.43.1

I think they are both vulnerable, but the vulnerable function is quite different and it's named `read_ipv4_addr_impl`:

it starts at src/libstd/net/parser.rs:131

fn read_ipv4_addr_impl(&mut self) -> Option<Ipv4Addr> {
    let mut bs = [0; 4];
    let mut i = 0;
    while i < 4 {
        if i != 0 && self.read_given_char('.').is_none() {
            return None;

        bs[i] = self.read_number(10, 3, 0x100).map(|n| n as u8)?;
        i += 1;
    Some(Ipv4Addr::new(bs[0], bs[1], bs[2], bs[3]))

Could you please share your feedback on that?

Moreover, (dunno know why) I've not been able to fetch the source codes of the following packages, but according to their versions (spec file), should be already patched:
 - SUSE:SLE-15-SP3:Update/rust 1.53.0
 - openSUSE:Factory/rust       1.54.0

Could you confirm that?

The upstream patch can be found in 74874a6 [0].

[0] https://github.com/rust-lang/rust/commit/74874a690bc95443292496ff5df5cc5c8cb56e0b.patch
Comment 2 Gianluca Gabrielli 2021-08-09 15:38:14 UTC
I managed to checkout all the source-codes. The following package is affected too:
 - SUSE:SLE-15-SP3:Update/rust1.43 (as per comment#2 - read_ipv4_addr_impl)

While the following ones are already patched:
 - SUSE:SLE-15-SP3:Update/rust1.53
 - openSUSE:Factory/rust1.53
 - openSUSE:Factory/rust1.54
Comment 3 Gianluca Gabrielli 2021-08-10 07:32:26 UTC
(In reply to Gianluca Gabrielli from comment #2)
>  - SUSE:SLE-15-SP3:Update/rust1.43 (as per comment#2 - read_ipv4_addr_impl)

I meant comment#1
Comment 4 Thomas Leroy 2022-08-31 11:26:19 UTC

Hi William, this one seems to impact Rust compiler itself. We expected a patch for SUSE:SLE-15:Update and SUSE:SLE-15-SP1:Update, but I think the fixing commit is included in the version we currently ship there. 
I think the CVE is not mentioned in the changes file, so we lost track of it. Could you please add the CVE in the changes file of SUSE:SLE-15:Update/rust and SUSE:SLE-15-SP1:Update/rust? :)