https://github.com/rust-lang/rust/issues/53566 - this is yet another case of a standard library bug that should have gotten a CVE, but didn't. I've notified the security team and they replied (again) that they don't support old Rusts, and do not intend to do anything about it. So I've applied for a CVE myself.
It affects 1.18.0 onwards and was fixed just recently, in 1.30.0. The same attack vector causes a stack overflow on 1.17.0.
Seems like a good arguments for getting these into rustsec. Where did we land on that @Tony Arcieri ?
derp guess I haven't been keeping up here
uhh I think we're mostly at consensus that it's a reasonable enough idea, and you cataloguing the known ones in a GH issue and... that's it
next steps are how to represent them, whether we should distinguish e.g. std vs rustc vs (core? alloc?)
and what the schema should be
Fortunately a binary scanner is dead simple because rustc already encodes its version and LLVM version in everything it builds. UNfortunately, there is no way to tell if a particular function is used or not in an optimized binary, so we'll be showing false positives most of the time, by design. Also, linux distros cherry-pick fixes to earlier versions sometimes, further confusing everything.