Skip to content

Add crossbeam-channel advisory re upstream MR #1187 #2277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 10, 2025
Merged

Add crossbeam-channel advisory re upstream MR #1187 #2277

merged 2 commits into from
Apr 10, 2025

Conversation

ijackson
Copy link
Contributor

@ijackson ijackson commented Apr 9, 2025

crossbeam-rs/crossbeam#1187

At the Tor Project we've assigned this TROVE-2025-013. Our ticket https://gitlab.torproject.org/tpo/core/arti/-/issues/1942

Thanks for your attention.

djc
djc reviewed Apr 9, 2025
View reviewed changes
Copy link
Contributor

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@taiki-e do you agree that this should be published?

crates/crossbeam-channel/RUSTSEC-0000-0000.md Outdated
aliases = ["TROVE-2025-013"]

[versions]
patched = [">= 0.5.14"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this should be 0.5.15?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. <= vs < always confuses me.

crates/crossbeam-channel/RUSTSEC-0000-0000.md
url = "https://github.com/crossbeam-rs/crossbeam/pull/1187"
categories = ["memory-corruption"]
keywords = ["race"]
aliases = ["TROVE-2025-013"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about the TROVE alias -- seems kinda niche, are there other advisories here that have TROVE aliases already?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but so far only tor-* crates (ie, our crates).

ISTM that provided that the naming is unique enough (which I think it is, here), RUSTSEC should be promiscuous about accepting identifiers from other registries - but not necessarily proactive in seeking them out. But the policy is up to you.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tarcieri @alex opinions?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with it.

@djc djc mentioned this pull request Apr 10, 2025
Merged
@djc djc merged commit ce8badf into rustsec:main Apr 10, 2025
1 check passed
@ijackson ijackson deleted the crossbeam branch April 10, 2025 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex alex alex left review comments

@djc djc djc left review comments

@taiki-e taiki-e taiki-e approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ijackson @alex @djc @taiki-e