HistoryEditJSON (OSV)

RUSTSEC-2019-0010

MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code

Reported
Issued
Package
libflate (crates.io)
Type
Vulnerability
Keywords
#drop #use-after-free
Aliases
References
CVSS Score
9.8 CRITICAL
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched
  • >=0.1.25
Unaffected
  • <0.1.14
Affected Functions
Version
libflate::gzip::MultiDecoder::read
  • <0.1.25, >=0.1.14

Description

Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in MultiDecoder::read() and reverted it to the original value after the function completed. However, execution of MultiDecoder::read() could be interrupted by a panic in caller-supplied Read implementation. This would cause drop() to be called on uninitialized memory of a generic type implementing Read.

This is equivalent to a use-after-free vulnerability and could allow an attacker to gain arbitrary code execution.

The flaw was corrected by aborting immediately instead of unwinding the stack in case of panic within MultiDecoder::read(). The issue was discovered and fixed by Shnatsel.

Advisory available under CC0-1.0 license.