RUSTSEC-2019-0020

fix unsound APIs that could lead to UB

Reported

September 6, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

generator (crates.io)

Type

Vulnerability

Keywords

#memory-corruption

Aliases

References

https://github.com/Xudong-Huang/generator-rs/issues/9

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

>=0.6.18

Description

Affected versions of this crate API could use uninitialized memory with some APIs in special cases, like use the API in none generator context. This could lead to UB. The flaw was corrected by https://github.com/Xudong-Huang/generator-rs/issues/9 https://github.com/Xudong-Huang/generator-rs/issues/11 https://github.com/Xudong-Huang/generator-rs/issues/13 https://github.com/Xudong-Huang/generator-rs/issues/14
This patch fixes all those issues above.

Advisory available under CC0-1.0 license.