RUSTSEC-2019-0010

MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code

Reported

July 4, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

libflate (crates.io)

Type

Vulnerability

Keywords

#drop #use-after-free

Aliases

References

https://github.com/sile/libflate/issues/35

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

>=0.1.25

Unaffected

<0.1.14

Affected Functions

Version

libflate::gzip::MultiDecoder::read

<0.1.25, >=0.1.14

Description

Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in MultiDecoder::read() and reverted it to the original value after the function completed. However, execution of MultiDecoder::read() could be interrupted by a panic in caller-supplied Read implementation. This would cause drop() to be called on uninitialized memory of a generic type implementing Read.

This is equivalent to a use-after-free vulnerability and could allow an attacker to gain arbitrary code execution.

The flaw was corrected by aborting immediately instead of unwinding the stack in case of panic within MultiDecoder::read(). The issue was discovered and fixed by Shnatsel.

Advisory available under CC0-1.0 license.