Skip to content

Clarify RUSTSEC-2020-0071 to mention that time was *setting* environment variables #1976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tbu- opened this issue Jun 3, 2024 · 3 comments · Fixed by #1977
Closed

Clarify RUSTSEC-2020-0071 to mention that time was *setting* environment variables #1976

tbu- opened this issue Jun 3, 2024 · 3 comments · Fixed by #1977

Comments

@tbu-
Copy link
Contributor

tbu- commented Jun 3, 2024

@briansmith wrote:

Oh, sorry, I forgot the main request I had: We should update the text of the RUSTSEC advisories and the related CVE with more explanation of the issue, as the current advisory text, though not totally wrong, not really helpful in helping people understand the issue.
@tarcieri
Copy link
Member

tarcieri commented Jun 3, 2024

Is there a specific change you're proposing here? AFAICT the current relevant text is:

This requires an environment variable to be set in a different thread than the affected functions.

@tbu-
Copy link
Contributor Author

tbu- commented Jun 3, 2024

Yes, that it only requires an environment variable to be read in a different thread than the affected functions.

This requires an environment variable to be set read in a different thread than the affected functions.

If the vulnerability required setting an environment variable in another thread, it wouldn't be a vulnerability according to the discussion in #1190. The crate in question also sets environment variables though: #1258, so reading environment variables in another thread is enough to trigger the vulnerability.

@tarcieri
Copy link
Member

tarcieri commented Jun 3, 2024

Okay, want to open a PR with the proposed change?

tbu- added a commit to tbu-/rustsec-advisory-db that referenced this issue Jun 3, 2024
@tbu-
Clarify that RUSTSEC-2020-0071 is about time setting env vars
eb25885 
Fixes rustsec#1976.
@tbu- tbu- mentioned this issue Jun 3, 2024
Merged
tarcieri pushed a commit that referenced this issue Jun 5, 2024
@tbu-
Clarify that RUSTSEC-2020-0071 is about time setting env vars (#1977)
af76d44 
Fixes #1976.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Clarify that RUSTSEC-2020-0071 is about time setting env vars tbu-/rustsec-advisory-db
2 participants
@tarcieri @tbu-