Reported

December 22, 2018

Issued

October 22, 2020 (last modified: February 10, 2024)

Package

libpulse-binding (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Aliases

• CVE-2018-25001
• GHSA-6gvc-4jvj-pwq4
• GHSA-f56g-chqp-22m9

References

• https://github.com/advisories/GHSA-6gvc-4jvj-pwq4

CVSS Score

6.5 MEDIUM

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Patched

• >=2.5.0

Unaffected

• <1.0.5

Description

Affected versions contained a possible use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a proplist::Iterator to the Proplist object for which it was created. This made it possible for users, without experiencing a compiler error/warning, to destroy the Proplist object before the iterator, thus destroying the underlying C object the iterator works upon, before the iterator may be finished with it.

This impacts all versions of the crate before 2.5.0 back to 1.0.5. Before version 1.0.5 the function that produces the iterator was broken to the point of being useless.

Advisory available under CC0-1.0 license.