RUSTSEC-2020-0012

Relies on undefined behavior of char::from_u32_unchecked

Reported

April 24, 2020

Issued

October 2, 2020 (last modified: October 19, 2021)

Package

os_str_bytes (crates.io)

Type

Vulnerability

Aliases

CVE-2020-35865

Details

https://github.com/dylni/os_str_bytes/pull/1

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

>=2.0.0

Affected OSes

windows

Description

The Windows implementation of this crate relied on the behavior of std::char::from_u32_unchecked when its safety clause is violated. Even though this worked with Rust versions up to 1.42 (at least), that behavior could change with any new Rust version, possibly leading a security issue.

The flaw was corrected in version 2.0.0.