Reported

September 6, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

generator (crates.io)

Type

Vulnerability

Keywords

#memory-corruption

Aliases

• CVE-2019-16144
• GHSA-6c65-xcf5-299x

References

• https://github.com/Xudong-Huang/generator-rs/issues/9

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.6.18

Description

Affected versions of this crate API could use uninitialized memory with some APIs in special cases, like use the API in none generator context. This could lead to UB. The flaw was corrected by https://github.com/Xudong-Huang/generator-rs/issues/9 https://github.com/Xudong-Huang/generator-rs/issues/11 https://github.com/Xudong-Huang/generator-rs/issues/13 https://github.com/Xudong-Huang/generator-rs/issues/14
This patch fixes all those issues above.

Advisory available under CC0-1.0 license.