Last week, the Rust team was informed about a vulnerability in Rust’s standard library, the details of which they shared yesterday. The vulnerability is caused by a function that was stabilized in the Rust 1.34.0 and 1.34.1 versions. The Common Vulnerabilities and Exposures (CVE) Id for this vulnerability is CVE-2019-12083.
What is the vulnerability?
The Rust standard library contains the `Error::type_id` method, which allows you to acquire TypeId (a globally unique identifier for a type) of the underlying error type to downcast back to the original type. The vulnerability happens when the method is manually implemented or interacts with ‘Error::downcast’ family of functions to cast a type to the wrong type.
Though the standard library has a default implementation of ‘Error::type_id’, it can also be manually implemented by downstream crates. This can cause security issues such as out of bounds reads and writes. If your code does not have a manual implementation of ‘Error::type_id’, then it is safe.
This vulnerability affects two versions, Rust 1.34.0 and 1.34.1, which were released last month. Also, since the function has been a part of all the releases starting from Rust 1.0.0, this vulnerability may have affected the code compiled with the nightly distribution as well.
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
What are the mitigation steps?
The Rust team recommends to immediately remove the manual implementations of Error::type_id and inherit the default implementation which is a safe option. As a long term measure, the team plans to destabilize this function, which will be a breaking change for users calling Error::type_id and for users overriding Error::type_id.
The team further wrote, “We will be releasing a 1.34.2 point release on 2019-05-14 (tomorrow) which reverts #58048 and destabilizes the Error::type_id function. The upcoming 1.35.0 release along with the beta/nightly channels will also all be updated with a destabilization.”
Read the full announcement on Rust’s official website.
Rust shares roadmap for 2019
Rust 1.34 releases with alternative cargo registries, stabilized TryFrom and TryInto, and more
Chris Dickinson on how to implement Git in Rust
Germany
Slovakia
Canada
Brazil
Singapore
Hungary
Philippines
Mexico
Thailand
Ukraine
Luxembourg
Estonia
Lithuania
Norway
Chile
United States
Great Britain
India
Spain
South Korea
Ecuador
Colombia
Taiwan
Switzerland
Indonesia
Cyprus
Denmark
Finland
Poland
Malta
Czechia
New Zealand
Austria
Turkey
France
Sweden
Italy
Egypt
Belgium
Portugal
Slovenia
Ireland
Romania
Greece
Argentina
Malaysia
South Africa
Netherlands
Bulgaria
Latvia
Australia
Japan
Russia
