Skip to content

Fixes API soundness issue in join()#81728

Merged
bors merged 2 commits intorust-lang:masterfrom
Qwaz:fix-80335
Mar 28, 2021
Merged

Fixes API soundness issue in join()#81728
bors merged 2 commits intorust-lang:masterfrom
Qwaz:fix-80335

Conversation

@Qwaz
Copy link
Contributor

@Qwaz Qwaz commented Feb 3, 2021

Fixes #80335

@rust-highfive
Copy link
Contributor

rust-highfive commented Feb 3, 2021

r? @joshtriplett

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Feb 3, 2021
@JohnCSimon JohnCSimon added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Feb 23, 2021
@crlf0710 crlf0710 added T-libs Relevant to the library team, which will review and decide on the PR/issue. S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 12, 2021
@Dylan-DPC-zz
Copy link

Dylan-DPC-zz commented Mar 13, 2021

@joshtriplett any updates?

joshtriplett
joshtriplett reviewed Mar 18, 2021
View reviewed changes
@joshtriplett
Copy link
Member

joshtriplett commented Mar 18, 2021

One nit regarding updating an adjacent comment. r=me with that fixed.

@Qwaz
Copy link
Contributor Author

Qwaz commented Mar 20, 2021

I'm not familiar with rustbot commands, so I'm not sure I'm doing this correctly 😅

r=@joshtriplett

@Qwaz
Copy link
Contributor Author

Qwaz commented Mar 28, 2021

@bors r=@joshtriplett

@bors
Copy link
Collaborator

bors commented Mar 28, 2021

@Qwaz: 🔑 Insufficient privileges: Not in reviewers

@Qwaz
Copy link
Contributor Author

Qwaz commented Mar 28, 2021
edited
Loading

@Dylan-DPC @joshtriplett It seems that I don't have permission to run r= commands. Could you check again?

@JohnTitor
Copy link
Member

JohnTitor commented Mar 28, 2021

@bors r=joshtriplett

@bors
Copy link
Collaborator

bors commented Mar 28, 2021

📌 Commit 26a6270 has been approved by joshtriplett

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 28, 2021
@bors
Copy link
Collaborator

bors commented Mar 28, 2021

⌛ Testing commit 26a6270 with merge 5208f63...

@bors
Copy link
Collaborator

bors commented Mar 28, 2021

☀️ Test successful - checks-actions
Approved by: joshtriplett
Pushing 5208f63 to master...

@bors bors added the merged-by-bors This PR was explicitly merged by bors. label Mar 28, 2021
@bors bors merged commit 5208f63 into rust-lang:master Mar 28, 2021
@rustbot rustbot added this to the 1.53.0 milestone Mar 28, 2021
@cuviper
Copy link
Member

cuviper commented Apr 16, 2021

This PR was cited as the fix for CVE-2020-36323, so I'm nominating it for beta.

@cuviper cuviper added the beta-nominated Nominated for backporting to the compiler in the beta channel. label Apr 16, 2021
@JohnTitor
Copy link
Member

JohnTitor commented Apr 16, 2021

The CVE description says:

In the standard library in Rust before 1.50.3

I'm not sure I'm following it correctly but it doesn't seem correct for me. It should be "before 1.52.0" if we backport this to beta?

@cuviper
Copy link
Member

cuviper commented Apr 16, 2021

I expect they meant 1.53.0, and yes that should become 1.52.0 if we backport.

@JohnTitor
Copy link
Member

JohnTitor commented Apr 16, 2021
edited
Loading

@cuviper Thanks for checking, is there a way to correct it by our hand? Nvm, I found it and sent an update request: https://cve.mitre.org/cve/update_cve_records.html

@cuviper
Copy link
Member

cuviper commented Apr 16, 2021

@Qwaz I believe you were involved in filing the recent CVEs -- do you have a way to make such updates?

@Qwaz
Copy link
Contributor Author

Qwaz commented Apr 18, 2021

Nvm, I found it and sent an update request: https://cve.mitre.org/cve/update_cve_records.html

This is the official way that I know.

@wesleywiser
Copy link
Member

wesleywiser commented Apr 22, 2021

We discussed this in the compiler team triage meeting this morning and decided to approve the backport.

@wesleywiser wesleywiser added beta-accepted Accepted for backporting to the compiler in the beta channel. beta-nominated Nominated for backporting to the compiler in the beta channel. and removed beta-nominated Nominated for backporting to the compiler in the beta channel. labels Apr 22, 2021
@cuviper cuviper mentioned this pull request Apr 26, 2021
Merged
@Mark-Simulacrum Mark-Simulacrum modified the milestones: 1.53.0, 1.52.0 Apr 27, 2021
@Mark-Simulacrum Mark-Simulacrum removed the beta-nominated Nominated for backporting to the compiler in the beta channel. label Apr 27, 2021
bors added a commit to rust-lang-ci/rust that referenced this pull request Apr 27, 2021
@bors
Auto merge of rust-lang#84603 - cuviper:beta-next, r=Mark-Simulacrum
f97769a 
[beta] backports

This backports two beta-accepted PRs, fixing CVE-2020-36323 and CVE-2021-31162.

- Fixes API soundness issue in `join()` rust-lang#81728
- Fix double-drop in `Vec::from_iter(vec.into_iter())` specialization when items drop during panic rust-lang#83629
@JohnTitor JohnTitor mentioned this pull request Apr 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshtriplett joshtriplett joshtriplett left review comments

Assignees

@joshtriplett joshtriplett

Labels

beta-accepted Accepted for backporting to the compiler in the beta channel. merged-by-bors This PR was explicitly merged by bors. S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

1.52.0

Development

Successfully merging this pull request may close these issues.

API soundness issue in join() implementation of [Borrow<str>]