search

rustsec / advisory-db

Security advisory database for Rust crates published through crates.io
https://rustsec.org
Other
887 stars 339 forks source link

Clarify RUSTSEC-2020-0071 to mention that time was *setting* environment variables #1976

Closed tbu- closed 1 month ago

tbu- commented 1 month ago

@briansmith wrote:

Oh, sorry, I forgot the main request I had: We should update the text of the RUSTSEC advisories and the related CVE with more explanation of the issue, as the current advisory text, though not totally wrong, not really helpful in helping people understand the issue.

tarcieri commented 1 month ago

Is there a specific change you're proposing here? AFAICT the current relevant text is:

This requires an environment variable to be set in a different thread than the affected functions.

tbu- commented 1 month ago

Yes, that it only requires an environment variable to be read in a different thread than the affected functions.

This requires an environment variable to be ~set~ read in a different thread than the affected functions.

If the vulnerability required setting an environment variable in another thread, it wouldn't be a vulnerability according to the discussion in #1190. The crate in question also sets environment variables though: #1258, so reading environment variables in another thread is enough to trigger the vulnerability.

tarcieri commented 1 month ago

Okay, want to open a PR with the proposed change?